Back to plugin

Security audit

TraceProof Runtime

Security checks across malware telemetry and agentic risk

Overview

TraceProof Runtime appears purpose-aligned: it runs a verification plugin that uses TraceProof credentials, calls TraceProof APIs, and stores local proof state, with no artifact-backed malicious behavior found.

Install this only if you want OpenClaw sessions to be proofed through TraceProof. Use dedicated TraceProof credentials, protect the OpenClaw config file, review the API endpoints, back up any existing workspace AGENTS.md before copying the bundled grounding, and be aware that proof state with short message previews is stored locally.

VirusTotal

VirusTotal engine telemetry is currently stale for this artifact.

View on VirusTotal

Static analysis

Detected: suspicious.exposed_secret_literal

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
index.js:100
Evidence
body.client_secret = [REDACTED];