Environment variable access combined with network send.
- Code
- suspicious.env_credential_access
- Location
- dist/image-generation-provider-runtime.js:49
- Evidence
normalizeOptionalString(process.env.NEWAPI_BASE_URL) ??
Security audit
Security checks across malware telemetry and agentic risk
This image-generation provider mostly does what it claims, but it also has an under-disclosed Telegram progress path that can send part of a user prompt outside OpenClaw.
Install only if you are comfortable with prompts and reference images being sent to the configured NewAPI/model endpoint, and avoid using it in Telegram-connected OpenClaw environments unless you have reviewed and accept that prompt excerpts may be sent as chat progress messages. Prefer explicit NEWAPI_BASE_URL and NEWAPI_API_KEY settings over generic BASE_URL/API_KEY, and avoid sensitive prompts or images unless the endpoint owner and data handling are trusted.
62/62 vendors flagged this plugin as clean.
Detected: suspicious.env_credential_access, suspicious.exposed_secret_literal
normalizeOptionalString(process.env.NEWAPI_BASE_URL) ??
normalizeOptionalString(process.env.NEWAPI_BASE_URL) ??
const apiKey = [REDACTED](PROVIDER_ID).apiKey;
const apiKey = [REDACTED](PROVIDER_ID).apiKey;