Environment variable access combined with network send.
Critical
- Code
- suspicious.env_credential_access
- Location
- dist/index.js:4401
- Evidence
const key = apiKey ?? process.env.EBB_ELECTRICITY_MAPS_API_KEY;
Security audit
Security checks across malware telemetry and agentic risk
This plugin does what it says: it keeps a local queue of deferred AI tasks and runs them later at lower-carbon grid times, with expected local storage and provider API use.
Before installing, be comfortable with the gateway keeping a local queue of task prompts/results and running queued work in the background. Use webhook and file delivery only for destinations you trust, and review any OpenAI, Anthropic, Telegram, and grid API keys available to the gateway because queued tasks may use them.
60/60 vendors flagged this plugin as clean.
Detected: suspicious.env_credential_access, suspicious.potential_exfiltration
const key = apiKey ?? process.env.EBB_ELECTRICITY_MAPS_API_KEY;
const privatePem2 = readFileSync(privateKeyPath, "utf8");