Back to plugin

Security audit

NewAPI Image Provider

Security checks across malware telemetry and agentic risk

Overview

This image-generation provider mostly does what it claims, but it also has an under-disclosed Telegram progress path that can send part of a user prompt outside OpenClaw.

Install only if you are comfortable with prompts and reference images being sent to the configured NewAPI/model endpoint, and avoid using it in Telegram-connected OpenClaw environments unless you have reviewed and accept that prompt excerpts may be sent as chat progress messages. Prefer explicit NEWAPI_BASE_URL and NEWAPI_API_KEY settings over generic BASE_URL/API_KEY, and avoid sensitive prompts or images unless the endpoint owner and data handling are trusted.

VirusTotal

62/62 vendors flagged this plugin as clean.

View on VirusTotal

Static analysis

Detected: suspicious.env_credential_access, suspicious.exposed_secret_literal

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
dist/image-generation-provider-runtime.js:49
Evidence
normalizeOptionalString(process.env.NEWAPI_BASE_URL) ??

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
dist/image-generation-provider.js:49
Evidence
normalizeOptionalString(process.env.NEWAPI_BASE_URL) ??

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
dist/index-runtime.js:31
Evidence
const apiKey = [REDACTED](PROVIDER_ID).apiKey;

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
dist/index.js:31
Evidence
const apiKey = [REDACTED](PROVIDER_ID).apiKey;