File appears to expose a hardcoded API secret or token.
- Code
- suspicious.exposed_secret_literal
- Location
- src/routers/quant.ts:402
- Evidence
apiKey: [REDACTED] || undefined,
Security audit
Security checks across malware telemetry and agentic risk
QuantClaw appears to do what it claims: classify requests and route them to configured model targets, with no unrelated credential or install requests.
This plugin appears coherent for its purpose, but install it only if you are comfortable with a routing plugin seeing your prompts and sending them to the judge/model endpoints you configure. Use trusted model endpoints, protect any API keys placed in quantclaw.json or referenced through environment variables, and treat custom modules or optional Python router components as code you should review before enabling.
VirusTotal engine telemetry is currently stale for this artifact.
Detected: suspicious.exposed_secret_literal, suspicious.install_untrusted_source
apiKey: [REDACTED] || undefined,
apiKey: [REDACTED](prefix + '-apiKey').value.trim(),
"endpoint": "http://127.0.0.1:8000",