Environment variable access combined with network send.
- Code
- suspicious.env_credential_access
- Location
- index.js:222
- Evidence
const apiKey = process.env[config.apiKeyEnvVar];
Security audit
Security checks across malware telemetry and agentic risk
This plugin is purpose-aligned, but it forwards detailed transaction and session context to a Sigui backend and can block wallet actions, so users should review its data-sharing scope before installing.
Install only if you trust the configured Sigui backend and are comfortable sending wallet destinations, amounts, raw transaction parameters, and session identifiers to it. Prefer a self-hosted or vetted HTTPS endpoint, avoid placing secrets in tool parameters, and verify watchedTools is explicitly scoped before using this with agents that can move funds.
61/61 vendors flagged this plugin as clean.
Detected: suspicious.env_credential_access, suspicious.install_untrusted_source
const apiKey = process.env[config.apiKeyEnvVar];
"default": "http://127.0.0.1:8765"