openclaw-zero-token

SUSPICIOUS: the core browser-auth credential capture is consistent with the claimed zero-token gateway purpose, but the overall footprint is high risk. It installs from a less-verifiable personal fork, stores highly sensitive session credentials for many providers, and adds exec/read/write tool capabilities that exceed basic gateway needs and create prompt-injection and local-action risk.