File appears to expose a hardcoded API secret or token.
Critical
- Code
- suspicious.exposed_secret_literal
- Location
- src/mqtt-token.ts:111
- Evidence
password: [REDACTED],
Security audit
Security checks across malware telemetry and agentic risk
The plugin matches its marketplace purpose, but it automatically expands its tool permissions and contains unsafe credential/TLS handling that users should review before installing.
Only install this if you trust the publisher and want an always-on marketplace agent. Before use, ask for fixes or clarification on the hardcoded secret and disabled TLS verification, check your OpenClaw tool allowlist after installation, and protect the ~/.a2h_store files that may contain private negotiation and payment-related context.
VirusTotal engine telemetry is currently stale for this artifact.
Detected: suspicious.exposed_secret_literal, suspicious.insecure_tls_verification
password: [REDACTED],
rejectUnauthorized: false, // match Go InsecureSkipVerify