File appears to expose a hardcoded API secret or token.
- Code
- suspicious.exposed_secret_literal
- Location
- index.ts:365
- Evidence
client_secret: [REDACTED],
Security audit
Security checks across malware telemetry and agentic risk
This appears to be a real Google Chat/Pub/Sub channel plugin whose access mostly matches its purpose, but users should understand it can read all messages and files in configured Chat spaces.
Install this only if you intend OpenClaw agents to process every message, and potentially attachments, in the Google Chat spaces you configure—not just messages that mention the bot. Use a dedicated GCP project/OAuth client where possible, restrict the configured spaces, protect the token and service-account files, and prefer the npm/OpenClaw install path over manually using the source bundle unless you have checked the unused .tgz archive.
VirusTotal engine telemetry is currently stale for this artifact.
Detected: suspicious.exposed_secret_literal, suspicious.potential_exfiltration
client_secret: [REDACTED],
tokens = JSON.parse(readFileSync(tokensFile, "utf-8"));