Back to plugin

Security audit

A2H Market

Security checks across malware telemetry and agentic risk

Overview

The plugin matches its marketplace purpose, but it automatically expands its tool permissions and contains unsafe credential/TLS handling that users should review before installing.

Only install this if you trust the publisher and want an always-on marketplace agent. Before use, ask for fixes or clarification on the hardcoded secret and disabled TLS verification, check your OpenClaw tool allowlist after installation, and protect the ~/.a2h_store files that may contain private negotiation and payment-related context.

VirusTotal

VirusTotal engine telemetry is currently stale for this artifact.

View on VirusTotal

Static analysis

Detected: suspicious.exposed_secret_literal, suspicious.insecure_tls_verification

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
src/mqtt-token.ts:111
Evidence
password: [REDACTED],

HTTPS certificate verification is disabled.

Warn
Code
suspicious.insecure_tls_verification
Location
src/mqtt-transport.ts:74
Evidence
rejectUnauthorized: false, // match Go InsecureSkipVerify