Back to plugin

Security audit

SmartKV Image Generator

Security checks across malware telemetry and agentic risk

Overview

This plugin does what it says, but it sends prompts and an API key to a default plaintext HTTP backend at a raw IP address, which users should review before installing.

Install only if you trust the SmartKV backend and understand that your prompt text and SmartKV API key may be sent to the configured server. Prefer configuring an HTTPS endpoint you control or trust, rotate the key if it was used over HTTP, and avoid sending sensitive prompts through this plugin.

VirusTotal

64/64 vendors flagged this plugin as clean.

View on VirusTotal

Static analysis

Detected: suspicious.env_credential_access, suspicious.exposed_secret_literal, suspicious.install_untrusted_source

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
index.js:32
Evidence
process.env.SMARTKV_API_KEY ||

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
index.js:341
Evidence
apiKey: [REDACTED],

Install source points to URL shortener or raw IP.

Warn
Code
suspicious.install_untrusted_source
Location
openclaw.plugin.json:19
Evidence
"description": "SmartKV API 基础地址,例如 http://1.94.23.191:8080/api/v1",