Back to plugin

Security audit

Zoho Cliq

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Zoho Cliq channel plugin that uses sensitive chat/OAuth permissions for its stated messaging purpose, with no evidence of hidden exfiltration or destructive behavior.

Install only if you intend to connect OpenClaw to Zoho Cliq. Configure a strong webhookSecret, keep clientSecret and refreshToken in SecretRefs or environment variables, avoid open/wildcard admission for untrusted workspaces, and grant only the Zoho scopes needed for the features you will use.

VirusTotal

57/57 vendors flagged this plugin as clean.

View on VirusTotal

Static analysis

Detected: suspicious.exposed_secret_literal

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
dist/src/setup-wizard.js:9
Evidence
clientSecret: "[REDACTED]",

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
src/account-inspect.test.ts:86
Evidence
clientSecret: "[REDACTED]",

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
src/client-logging.test.ts:38
Evidence
const oauthBody = opts.oauthBody ?? { access_token: "[REDACTED]", expires_in: 3600 };

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
src/secret-contract.test.ts:109
Evidence
clientSecret: "[REDACTED]",

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
src/secret-resolve.test.ts:24
Evidence
const cfg = cfgWith({ clientSecret: "[REDACTED]" });

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
src/setup-wizard.ts:26
Evidence
clientSecret: "[REDACTED]",