critical
suspicious.dangerous_exec
- Location
- dist/runtime-entry-X0kPF8Cf.js:1473
- Finding
- Shell command execution detected (child_process).
- Evidence
const proc = spawn("tailscale", args, { stdio: [
Openclaw Voice Call 2026.5.19.Tgz
AdvisoryAudited by Static analysis on May 20, 2026.
Overview
Detected: suspicious.dangerous_exec, suspicious.exposed_secret_literal
Findings (6)
critical
suspicious.exposed_secret_literal
- Location
- dist/config-C8gX5Cik.js:61
- Finding
- File appears to expose a hardcoded API secret or token.
- Evidence
authToken: [REDACTED]()
critical
suspicious.exposed_secret_literal
- Location
- dist/config-compat-DJqJ8NzH.js:78
- Finding
- File appears to expose a hardcoded API secret or token.
- Evidence
if ([REDACTED]) legacyStreamingOpenAICompat.apiKey = [REDACTED];
critical
suspicious.exposed_secret_literal
- Location
- dist/plivo-BjXtz_Wv.js:24
- Finding
- File appears to expose a hardcoded API secret or token.
- Evidence
this.authToken = [REDACTED];
critical
suspicious.exposed_secret_literal
- Location
- dist/runtime-entry-X0kPF8Cf.js:1770
- Finding
- File appears to expose a hardcoded API secret or token.
- Evidence
authToken: [REDACTED],
critical
suspicious.exposed_secret_literal
- Location
- dist/twilio-DsggjKEf.js:190
- Finding
- File appears to expose a hardcoded API secret or token.
- Evidence
this.authToken = [REDACTED];