critical
suspicious.exposed_secret_literal
- Location
- dist/channel.js:175
- Finding
- File appears to expose a hardcoded API secret or token.
- Evidence
password: [REDACTED],
IMClaw
AdvisoryAudited by Static analysis on May 19, 2026.
Overview
Detected: suspicious.exposed_secret_literal, suspicious.potential_exfiltration
Findings (4)
critical
suspicious.exposed_secret_literal
- Location
- dist/imclaw-bridge.js:113
- Finding
- File appears to expose a hardcoded API secret or token.
- Evidence
password: [REDACTED],
critical
suspicious.exposed_secret_literal
- Location
- dist/tools/register-account.js:62
- Finding
- File appears to expose a hardcoded API secret or token.
- Evidence
password: [REDACTED],
warn
suspicious.potential_exfiltration
- Location
- dist/channel.js:311
- Finding
- Sensitive-looking file read is paired with a network send.
- Evidence
const parsed = JSON.parse(fs.readFileSync(SESSION_BOUNDARY_STATE_PATH, 'utf-8'));