Environment variable access combined with network send.
Critical
- Code
- suspicious.env_credential_access
- Location
- index.js:32
- Evidence
process.env.SMARTKV_API_KEY ||
Security audit
Security checks across malware telemetry and agentic risk
This plugin does what it says, but it sends prompts and an API key to a default plaintext HTTP backend at a raw IP address, which users should review before installing.
Install only if you trust the SmartKV backend and understand that your prompt text and SmartKV API key may be sent to the configured server. Prefer configuring an HTTPS endpoint you control or trust, rotate the key if it was used over HTTP, and avoid sending sensitive prompts through this plugin.
64/64 vendors flagged this plugin as clean.
Detected: suspicious.env_credential_access, suspicious.exposed_secret_literal, suspicious.install_untrusted_source
process.env.SMARTKV_API_KEY ||
apiKey: [REDACTED],
"description": "SmartKV API 基础地址,例如 http://1.94.23.191:8080/api/v1",