File appears to expose a hardcoded API secret or token.
Critical
- Code
- suspicious.exposed_secret_literal
- Location
- index.js:100
- Evidence
body.client_secret = [REDACTED];
Security audit
Security checks across malware telemetry and agentic risk
TraceProof Runtime appears purpose-aligned: it runs a verification plugin that uses TraceProof credentials, calls TraceProof APIs, and stores local proof state, with no artifact-backed malicious behavior found.
Install this only if you want OpenClaw sessions to be proofed through TraceProof. Use dedicated TraceProof credentials, protect the OpenClaw config file, review the API endpoints, back up any existing workspace AGENTS.md before copying the bundled grounding, and be aware that proof state with short message previews is stored locally.
VirusTotal engine telemetry is currently stale for this artifact.
Detected: suspicious.exposed_secret_literal
body.client_secret = [REDACTED];