Back to plugin

Security audit

Fidacy — Payment Firewall

Security checks across malware telemetry and agentic risk

Overview

This payment-firewall plugin has disclosed local state, network, and credential use that fit its stated purpose, with no evidence of hidden exfiltration or destructive behavior.

Install only if you want an agent payment-control layer that keeps local audit state and may contact Fidacy services by default. Review the ~/.fidacy state files, set FIDACY_DISABLE_TELEMETRY=1 and/or FIDACY_DISABLE_PROVISION=1 if you do not want default background telemetry/provisioning, and configure engineApiKey/engineUrl only for a Fidacy endpoint you trust.

VirusTotal

60/60 vendors flagged this plugin as clean.

View on VirusTotal

Static analysis

Detected: suspicious.env_credential_access, suspicious.exposed_secret_literal

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
dist/index.js:4240
Evidence
const b64 = process.env.FIDACY_SIGNING_KEY_B64;

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
dist/index.js:5315
Evidence
const apiKey = [REDACTED] ?? process.env.FIDACY_ENGINE_API_KEY ?? "").trim();