File appears to expose a hardcoded API secret or token.
Critical
- Code
- suspicious.exposed_secret_literal
- Location
- src/telegram-client.ts:37
- Evidence
password: [REDACTED],
Security audit
Security checks across malware telemetry and agentic risk
This looks like a real Telegram summarizer, but setup can change global OpenClaw tool permissions and the plugin handles Telegram sessions/messages on a background schedule.
Install only if you trust this plugin with your Telegram account and chat contents. Before use, inspect the flagged `src/telegram-client.ts` password line, review the OpenClaw config changes made by setup, restrict the tool allowlist/profile where possible, protect `apiHash`, `sessionString`, and bot tokens, and confirm the scheduler and summary destination are exactly what you intend.
VirusTotal engine telemetry is currently stale for this artifact.
Detected: suspicious.exposed_secret_literal
password: [REDACTED],