Back to plugin

Security audit

Cernion Energy Tools Sidecar

Security checks across malware telemetry and agentic risk

Overview

The skill mostly matches its Cernion evidence-sidecar purpose, but one authenticated raw GET tool is broader than the stated local safety boundaries.

Install only if you trust the Cernion endpoint and configure least-privilege tokens. Prefer a dedicated read-only token for evidence calls and a separate process-intake token only if you need pending process receipts. Review or disable use of the broad cernion_api_request capability unless your Cernion server strictly blocks admin, auth, token, secret, and other sensitive GET paths server-side.

VirusTotal

60/60 vendors flagged this plugin as clean.

View on VirusTotal

Static analysis

Detected: suspicious.env_credential_access, suspicious.exposed_secret_literal

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
dist/index.js:27
Evidence
const tokenFile = (config.bearerTokenFile || process.env.CERNION_READONLY_TOKEN_FILE || "").trim();

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
dist/index.js:54
Evidence
const bearerToken = [REDACTED] ||