Back to plugin

Security audit

Openclaw Otto Travel

Security checks across malware telemetry and agentic risk

Overview

This travel plugin appears purpose-aligned, but it can make or cancel real travel bookings through an authorized account without an explicit local confirmation guard in the provided code.

Review this before installing if you would not want an agent to make or cancel bookings on your behalf. If you use it, keep manual approval enabled for booking, cancellation, and loyalty/preference changes; verify the serverUrl is Otto's official endpoint; and protect or delete ~/.openclaw/.otto-tokens.json when finished.

VirusTotal

VirusTotal engine telemetry is currently stale for this artifact.

View on VirusTotal

Static analysis

Detected: suspicious.exposed_secret_literal

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
dist/src/auth.js:165
Evidence
access_token: [REDACTED],