Openclaw Matrix 2026.5.19.Tgz

AdvisoryAudited by Static analysis on May 20, 2026.

Overview

Detected: suspicious.dangerous_exec, suspicious.exposed_secret_literal

Findings (18)

critical

suspicious.dangerous_exec

Location: dist/deps-LqqGWPWt.js:42
Finding: Shell command execution detected (child_process).
Evidence: const proc = spawn(command, args, {

critical

suspicious.exposed_secret_literal

Location: dist/account-selection-BWwIruri.js:46
Finding: File appears to expose a hardcoded API secret or token.
Evidence: accessToken: [REDACTED](entry.accessToken),

critical

suspicious.exposed_secret_literal

Location: dist/channel-ClUVS-7H.js:675
Finding: File appears to expose a hardcoded API secret or token.
Evidence: accessToken: [REDACTED],

critical

suspicious.exposed_secret_literal

Location: dist/channel.runtime-B1QurRaj.js:48
Finding: File appears to expose a hardcoded API secret or token.
Evidence: accessToken: [REDACTED],

critical

suspicious.exposed_secret_literal

Location: dist/cli-MXYE-QK9.js:172
Finding: File appears to expose a hardcoded API secret or token.
Evidence: accessToken: [REDACTED],

critical

suspicious.exposed_secret_literal

Location: dist/config-schema-B1OTtJSg.js:234
Finding: File appears to expose a hardcoded API secret or token.
Evidence: accessToken: [REDACTED]().optional(),

critical

suspicious.exposed_secret_literal

Location: dist/create-client-B5b-7vQX.js:27
Finding: File appears to expose a hardcoded API secret or token.
Evidence: accessToken: [REDACTED],

critical

suspicious.exposed_secret_literal

Location: dist/crypto-runtime-Dt4XDOFO.js:90
Finding: File appears to expose a hardcoded API secret or token.
Evidence: password: [REDACTED]?.()

critical

suspicious.exposed_secret_literal

Location: dist/directory-live-Bwk5Ij-k.js:19
Finding: File appears to expose a hardcoded API secret or token.
Evidence: accessToken: [REDACTED],

critical

suspicious.exposed_secret_literal

Location: dist/http-client-r8CROzot.js:287
Finding: File appears to expose a hardcoded API secret or token.
Evidence: this.accessToken = [REDACTED];

critical

suspicious.exposed_secret_literal

Location: dist/legacy-crypto-restore-B9eF1gob.js:15
Finding: File appears to expose a hardcoded API secret or token.
Evidence: accessToken: [REDACTED],

critical

suspicious.exposed_secret_literal

Location: dist/matrix-migration.runtime-Cf_wX9mk.js:48
Finding: File appears to expose a hardcoded API secret or token.
Evidence: accessToken: [REDACTED]

critical

suspicious.exposed_secret_literal

Location: dist/sdk-DDUAi9uh.js:312
Finding: File appears to expose a hardcoded API secret or token.
Evidence: privateKey = [REDACTED](encodedPrivateKey);

critical

suspicious.exposed_secret_literal

Location: dist/setup-core-CnUlkNmz.js:44
Finding: File appears to expose a hardcoded API secret or token.
Evidence: accessToken: [REDACTED] || void 0,

critical

suspicious.exposed_secret_literal

Location: dist/setup-surface-BdT1ex7Z.js:364
Finding: File appears to expose a hardcoded API secret or token.
Evidence: let accessToken = [REDACTED];

critical

suspicious.exposed_secret_literal

Location: dist/shared-BA9WrDZY.js:130
Finding: File appears to expose a hardcoded API secret or token.
Evidence: path: params.field === "accessToken" ? scopedKeys.accessToken : [REDACTED]

critical

suspicious.exposed_secret_literal

Location: dist/startup-verification-CTfhD7V_.js:19
Finding: File appears to expose a hardcoded API secret or token.
Evidence: accessToken: [REDACTED],

critical

suspicious.exposed_secret_literal

Location: dist/storage-HI1nL3im.js:135
Finding: File appears to expose a hardcoded API secret or token.
Evidence: accessToken: [REDACTED],