Back to plugin

Security audit

liangzimixin

Security checks across malware telemetry and agentic risk

Overview

This messaging plugin is mostly consistent with an IM-channel integration, but it needs review because it appears to ship a hardcoded authorization value and its encryption/security posture is not as clear as its branding suggests.

Review carefully before installing, especially on production accounts. Ask the publisher to clarify and remove any hardcoded Authorization/accessToken values, use least-privilege app credentials, verify all service endpoints, and set encryptionMode to quantum_only if you require all messages to be encrypted.

VirusTotal

VirusTotal engine telemetry is currently stale for this artifact.

View on VirusTotal

Static analysis

Detected: suspicious.env_credential_access, suspicious.exposed_secret_literal, suspicious.obfuscated_code

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
dist/index.cjs:153
Evidence
var env = process.env;

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
dist/setup-entry.cjs:153
Evidence
var env = process.env;

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
dist/index.cjs:40544
Evidence
accessToken: [REDACTED],

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
dist/quantum-sdk/index.cjs:4147
Evidence
const response = await http2.post(url, data, { headers: { Authorization: [REDACTED] } });

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
dist/setup-entry.cjs:39008
Evidence
accessToken: [REDACTED],

Potential obfuscated payload detected.

Warn
Code
suspicious.obfuscated_code
Location
dist/index.cjs:9089
Evidence
req.end(Buffer.from(jsonStringify(options, this.options.replacer), "utf8"));

Potential obfuscated payload detected.

Warn
Code
suspicious.obfuscated_code
Location
dist/setup-entry.cjs:9089
Evidence
req.end(Buffer.from(jsonStringify(options, this.options.replacer), "utf8"));