Environment variable access combined with network send.
Critical
- Code
- suspicious.env_credential_access
- Location
- dist/index.js:17
- Evidence
const raw = String(process.env.ADSCENE_API_URL || '').replace(/\/+$/, '');
Security audit
Security checks across malware telemetry and agentic risk
This is a cloud video-editing plugin, but the packaged runtime uses undocumented legacy API environment variables while sending user edit requests and project data to a remote backend.
Review before installing. Use it only if you are comfortable sending prompts, media references, project IDs, and scene data to the configured video-editing backend. Verify the actual runtime environment variables before use, and prefer requirePlanApproval or explicit confirmation for edits that change or export user content.
61/61 vendors flagged this plugin as clean.
Detected: suspicious.env_credential_access
const raw = String(process.env.ADSCENE_API_URL || '').replace(/\/+$/, '');
process.env.LEVEA_API_URL || process.env.ADSCENE_API_URL || ''