Environment variable access combined with network send.
Critical
- Code
- suspicious.env_credential_access
- Location
- index.js:54
- Evidence
if (process.env.SMARTKV_API_KEY) {
Security audit
Security checks across malware telemetry and agentic risk
This plugin mostly matches its image-generation purpose, but it can silently use an unrelated image API key and send it to a configurable external service.
Review before installing. Use a SmartKV-specific API key only, remove or avoid setting IMAGE_API_KEY in the plugin runtime environment, and avoid passing apiKey or baseUrl as per-call tool arguments unless you are sure where the request will go. Treat activity details and prompts as data sent to the SmartKV backend.
59/59 vendors flagged this plugin as clean.
Detected: suspicious.env_credential_access, suspicious.exposed_secret_literal
if (process.env.SMARTKV_API_KEY) {const apiKey = [REDACTED](config, overrides);