Back to plugin

Security audit

TeamChat

Security checks across malware telemetry and agentic risk

Overview

TeamChat appears to be a legitimate local chat workspace, but its server exposes sensitive tokens and workspace data through insufficiently protected endpoints.

Use TeamChat only in a trusted local environment unless you first harden the server. Set password authentication, bind it to localhost or place it behind access controls, do not configure real gateway tokens until the token endpoint is fixed, and treat the data directory as sensitive.

VirusTotal

VirusTotal engine telemetry is currently stale for this artifact.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec, suspicious.env_credential_access, suspicious.exposed_secret_literal

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/check_open_source_clean.cjs:39
Evidence
return execFileSync('git', args, { encoding: 'utf8' }).trim();

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/smoke.cjs:35
Evidence
const child = spawn(process.execPath, [serverFile], {

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
scripts/doctor.cjs:7
Evidence
const openclawHome = process.env.OPENCLAW_HOME || path.join(os.homedir(), '.openclaw');

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
scripts/smoke.cjs:5
Evidence
const PORT = Number(process.env.PORT || 18788);

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
assets/js/core/app.js:55
Evidence
this.authToken = [REDACTED];

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
assets/js/services/api.js:13
Evidence
this.authToken = [REDACTED]();

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
public/assets/js/core/app.js:55
Evidence
this.authToken = [REDACTED];

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
public/assets/js/services/api.js:13
Evidence
this.authToken = [REDACTED]();

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
team_chat_login.html:630
Evidence
const password = [REDACTED]('password').value.trim();