File appears to expose a hardcoded API secret or token.
Critical
- Code
- suspicious.exposed_secret_literal
- Location
- dist/index.js:68
- Evidence
const apiKey = [REDACTED](PROVIDER_ID).apiKey;
Security audit
Security checks across malware telemetry and agentic risk
This is a coherent UniGateway LLM provider plugin; the main risks are ordinary API-key handling and broad dynamic model access, not hidden or malicious behavior.
Before installing, confirm you trust UniGateway to receive prompts and model traffic, prefer setting UNIGATEWAY_API_KEY through the environment or OpenClaw's secret prompt instead of putting the raw key directly on the command line, and monitor which UniGateway models are used because dynamic model discovery may expose models with different cost or policy characteristics.
60/60 vendors flagged this plugin as clean.
Detected: suspicious.exposed_secret_literal
const apiKey = [REDACTED](PROVIDER_ID).apiKey;
const apiKey = [REDACTED](PROVIDER_ID).apiKey;