File appears to expose a hardcoded API secret or token.
Critical
- Code
- suspicious.exposed_secret_literal
- Location
- dist/src/setup-wizard.js:9
- Evidence
clientSecret: "[REDACTED]",
Security audit
Security checks across malware telemetry and agentic risk
This is a coherent Zoho Cliq channel plugin that uses sensitive chat/OAuth permissions for its stated messaging purpose, with no evidence of hidden exfiltration or destructive behavior.
Install only if you intend to connect OpenClaw to Zoho Cliq. Configure a strong webhookSecret, keep clientSecret and refreshToken in SecretRefs or environment variables, avoid open/wildcard admission for untrusted workspaces, and grant only the Zoho scopes needed for the features you will use.
57/57 vendors flagged this plugin as clean.
Detected: suspicious.exposed_secret_literal
clientSecret: "[REDACTED]",
clientSecret: "[REDACTED]",
const oauthBody = opts.oauthBody ?? { access_token: "[REDACTED]", expires_in: 3600 };clientSecret: "[REDACTED]",
const cfg = cfgWith({ clientSecret: "[REDACTED]" });clientSecret: "[REDACTED]",