Environment variable access combined with network send.
Critical
- Code
- suspicious.env_credential_access
- Location
- audio.ts:26
- Evidence
const apiKey = settings.apiKey || process.env.SOUNDAI_API_KEY;
Security audit
Security checks across malware telemetry and agentic risk
This appears to be a focused SoundAI text-to-speech provider that sends text to SoundAI using a SoundAI API key and returns audio.
If you install this, expect text sent for speech synthesis to be transmitted to SoundAI's cloud API along with your SoundAI API key. Only use a custom baseUrl if you trust that endpoint. The main inconsistency is metadata quality: the registry says no environment variables are required, but the plugin does need SOUNDAI_API_KEY.
VirusTotal engine telemetry is currently stale for this artifact.
Detected: suspicious.env_credential_access
const apiKey = settings.apiKey || process.env.SOUNDAI_API_KEY;
const apiKey = settings.apiKey || process.env.SOUNDAI_API_KEY;