npm · registry.npmjs.org

atel-mcp-openclaw

Webhook Exfil Endpoint: matched "api.telegram.org/bot"

Why PkgRadar flagged 0.6.49

Severity	Signal	Evidence
high	Webhook Exfil Endpoint	matched "api.telegram.org/bot" · package/bin/install.js
medium	Remote Payload	matched "api.telegram.org/bot" · package/bin/install.js
medium	Remote Payload	matched "api.telegram.org/bot" · package/src/tg-dispatch.js

Scanned versions

Version	Verdict	Score	Scanned (UTC)
`0.6.49`	High risk	69	2026-06-11
`0.6.48`	High risk	69	2026-06-11
`0.6.47`	High risk	69	2026-06-11
`0.6.43`	High risk	69	2026-06-10
`0.6.44`	High risk	69	2026-06-10
`0.6.46`	High risk	69	2026-06-10
`0.6.45`	High risk	69	2026-06-10
`0.6.40`	Review	24	2026-05-24
`0.6.41`	Review	24	2026-05-24

Block this in CI

PkgRadar gates atel-mcp-openclaw (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem npm [email protected]