Back to plugin

Security audit

Basememe AI

Security checks across malware telemetry and agentic risk

Overview

Basememe AI appears aligned with its crypto-trading purpose, but it can use a stored wallet private key to make irreversible Base mainnet transactions and its credential requirements are under-declared.

Install only if you are comfortable giving this skill access to a dedicated low-balance wallet on Base mainnet. Pin the package version, configure credentials only for this skill, quote or dry-run first, require manual confirmation for every write command, and revoke allowances when finished.

VirusTotal

VirusTotal engine telemetry is currently stale for this artifact.

View on VirusTotal

Static analysis

Detected: suspicious.env_credential_access, suspicious.exposed_secret_literal

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
src/lib/gift-proof-helpers.js:45
Evidence
export function resolveBasememeApiToken(options = {}, env = process.env) {

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
src/commands/gift-proof-submit.js:99
Evidence
const bearer = [REDACTED](options);