Back to plugin

Security audit

Stayfinder

Security checks across malware telemetry and agentic risk

Overview

Stayfinder appears to match its hotel-search purpose, but it stores a StayFinder token/email and sends your trip search details to StayFinder, so use it only if you trust that service.

Before installing, make sure you are comfortable enabling executable OpenClaw tools that contact StayFinder, storing a local StayFinder token, and sharing trip search details with that service. The provided artifacts do not show scraping, browser automation, destructive actions, or hidden data collection, but the redacted static token warning is worth confirming in the unredacted package if you want extra assurance.

VirusTotal

VirusTotal engine telemetry is currently stale for this artifact.

View on VirusTotal

Static analysis

Detected: suspicious.exposed_secret_literal

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
dist/tools/search-stays.js:189
Evidence
apiToken: [REDACTED],

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
src/credential-store.test.ts:30
Evidence
api_token: '[REDACTED]',

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
src/tools/search-stays.ts:253
Evidence
apiToken: [REDACTED],