File appears to expose a hardcoded API secret or token.
Critical
- Code
- suspicious.exposed_secret_literal
- Location
- dist/index.js:264
- Evidence
const apiKey = [REDACTED](PROVIDER_ID).apiKey;
Security audit
Security checks across malware telemetry and agentic risk
This appears to be a real Dymo provider plugin, but it uses an undocumented default API domain and silently patches network requests, so users should review it before installing.
Review this plugin carefully before installing. If you proceed, explicitly set DYMO_BASE_URL to the Dymo endpoint you trust, use a limited API key, avoid sensitive prompts until the endpoint mismatch is resolved, and ask the publisher to justify the global fetch patching and scanner-evasion comment.
VirusTotal engine telemetry is currently stale for this artifact.
Detected: suspicious.exposed_secret_literal
const apiKey = [REDACTED](PROVIDER_ID).apiKey;
const apiKey = [REDACTED](PROVIDER_ID).apiKey;