Back to plugin

Security audit

QuantClaw

Security checks across malware telemetry and agentic risk

Overview

QuantClaw appears to do what it claims: classify requests and route them to configured model targets, with no unrelated credential or install requests.

This plugin appears coherent for its purpose, but install it only if you are comfortable with a routing plugin seeing your prompts and sending them to the judge/model endpoints you configure. Use trusted model endpoints, protect any API keys placed in quantclaw.json or referenced through environment variables, and treat custom modules or optional Python router components as code you should review before enabling.

VirusTotal

VirusTotal engine telemetry is currently stale for this artifact.

View on VirusTotal

Static analysis

Detected: suspicious.exposed_secret_literal, suspicious.install_untrusted_source

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
src/routers/quant.ts:402
Evidence
apiKey: [REDACTED] || undefined,

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
src/stats-dashboard.ts:1059
Evidence
apiKey: [REDACTED](prefix + '-apiKey').value.trim(),

Install source points to URL shortener or raw IP.

Warn
Code
suspicious.install_untrusted_source
Location
config.example.json:11
Evidence
"endpoint": "http://127.0.0.1:8000",