File appears to expose a hardcoded API secret or token.
Critical
- Code
- suspicious.exposed_secret_literal
- Location
- smithery.yaml:43
- Evidence
...([REDACTED] ? { PERPLEXITY_API_KEY: [REDACTED] } : {}),
Security audit
Security checks across malware telemetry and agentic risk
This appears to be a real citation-analysis tool, but it needs review because it sends queries and URLs to external services, fetches arbitrary URLs from the host, stores results locally, and has a credential-leak risk in error handling.
Install only if you are comfortable with a self-hosted MCP server making outbound requests to AI/search vendors and to user-supplied URLs. Do not use it for confidential queries or internal URLs unless you run it in an egress-restricted environment, and be aware that failed requests may reveal some API keys in logs or tool errors.
65/65 vendors flagged this plugin as clean.
Detected: suspicious.exposed_secret_literal
...([REDACTED] ? { PERPLEXITY_API_KEY: [REDACTED] } : {}),