Environment variable access combined with network send.
Critical
- Code
- suspicious.env_credential_access
- Location
- dist/index.js:37
- Evidence
const env = params.env ?? process.env;
Security audit
Security checks across malware telemetry and agentic risk
This package behaves like a disclosed Facebook Messenger channel plugin, with expected use of Meta credentials, webhooks, and Graph API calls.
Install only if you intend to connect an OpenClaw agent to a Facebook Page. Treat the Meta Page token and App Secret as sensitive, review the default open DM policy, and expect the plugin to cache a derived Page token and subscribe the Page webhook automatically.
61/61 vendors flagged this plugin as clean.
Detected: suspicious.env_credential_access, suspicious.potential_exfiltration
const env = params.env ?? process.env;
const env = params.env ?? process.env;
const raw = await fs.readFile(credentialPath(accountId), "utf8");
const raw = await fs.readFile(credentialPath(accountId), "utf8");