Back to plugin

Security audit

SmartKV Image Generator

Security checks across malware telemetry and agentic risk

Overview

This plugin mostly matches its image-generation purpose, but it can silently use an unrelated image API key and send it to a configurable external service.

Review before installing. Use a SmartKV-specific API key only, remove or avoid setting IMAGE_API_KEY in the plugin runtime environment, and avoid passing apiKey or baseUrl as per-call tool arguments unless you are sure where the request will go. Treat activity details and prompts as data sent to the SmartKV backend.

VirusTotal

59/59 vendors flagged this plugin as clean.

View on VirusTotal

Static analysis

Detected: suspicious.env_credential_access, suspicious.exposed_secret_literal

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
index.js:54
Evidence
if (process.env.SMARTKV_API_KEY) {

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
index.js:78
Evidence
const apiKey = [REDACTED](config, overrides);