File appears to expose a hardcoded API secret or token.
Critical
- Code
- suspicious.exposed_secret_literal
- Location
- dist/src/auth.js:165
- Evidence
access_token: [REDACTED],
Security audit
Security checks across malware telemetry and agentic risk
This travel plugin appears purpose-aligned, but it can make or cancel real travel bookings through an authorized account without an explicit local confirmation guard in the provided code.
Review this before installing if you would not want an agent to make or cancel bookings on your behalf. If you use it, keep manual approval enabled for booking, cancellation, and loyalty/preference changes; verify the serverUrl is Otto's official endpoint; and protect or delete ~/.openclaw/.otto-tokens.json when finished.
VirusTotal engine telemetry is currently stale for this artifact.
Detected: suspicious.exposed_secret_literal
access_token: [REDACTED],