Back to plugin

Security audit

Package

Security checks across malware telemetry and agentic risk

Overview

The plugin mostly matches its Q-Claw/WMS/ERP purpose, but it ships a client secret, stores auth tokens locally, and sends token-bearing requests to a default HTTP backend.

Install only if you trust the Q-Claw backend and deployment environment. Before use, replace the packaged client secret, require HTTPS for the backend URL, understand that WMS/ERP queries and context are sent to that backend, and review where the plugin stores local authorization tokens.

VirusTotal

VirusTotal engine telemetry is currently stale for this artifact.

View on VirusTotal

Static analysis

Detected: suspicious.exposed_secret_literal, suspicious.potential_exfiltration

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
index.js:1046
Evidence
accessToken = [REDACTED];

Sensitive-looking file read is paired with a network send.

Warn
Code
suspicious.potential_exfiltration
Location
index.js:216
Evidence
const raw = fs.readFileSync(AUTH_STATE_FILE, "utf-8");