File appears to expose a hardcoded API secret or token.
Critical
- Code
- suspicious.exposed_secret_literal
- Location
- dist/index.js:6303
- Evidence
password: [REDACTED],
Security audit
Security checks across malware telemetry and agentic risk
This appears to be a coherent DebugBundle integration, with disclosed credential use and optional tools that can change DebugBundle account resources.
Install only if you trust DebugBundle with the projects and credentials available to the agent. Keep mutation tools allowlisted narrowly, review billing/member/token/webhook/project permissions before enabling them, and use a trusted apiBaseUrl because bearer tokens are sent to that host.
60/60 vendors flagged this plugin as clean.
Detected: suspicious.exposed_secret_literal
password: [REDACTED],