File appears to expose a hardcoded API secret or token.
Critical
- Code
- suspicious.exposed_secret_literal
- Location
- dist/index.js:69
- Evidence
const apiKey = [REDACTED](PROVIDER_ID).apiKey;
Security audit
Security checks across malware telemetry and agentic risk
ZenMux appears to do what it claims: it adds a ZenMux LLM provider and uses only ZenMux-specific credentials and endpoints.
Install this if you intend to route OpenClaw model requests through ZenMux. You should expect your prompts and the ZenMux API key to be used for calls to ZenMux, but this bundle does not show unrelated credential access, unexpected endpoints, or disproportionate installation behavior.
57/57 vendors flagged this plugin as clean.
Detected: suspicious.exposed_secret_literal
const apiKey = [REDACTED](PROVIDER_ID).apiKey;
const apiKey = [REDACTED](PROVIDER_ID).apiKey;