Openclaw Discord 2026.5.19.Tgz

AdvisoryAudited by Static analysis on May 20, 2026.

Overview

Detected: suspicious.env_credential_access, suspicious.exposed_secret_literal

Findings (2)

critical

suspicious.env_credential_access

Location: dist/provider-BZtjA1y_.js:2159
Finding: Environment variable access combined with network send.
Evidence: function resolvePreferencesStorePath(env = process.env) {

critical

suspicious.exposed_secret_literal

Location: dist/pluralkit-BnCH6cHK.js:11
Finding: File appears to expose a hardcoded API secret or token.
Evidence: if (params.config.token?.trim()) headers.Authorization = [REDACTED]();