Back to plugin

Security audit

erxes-next-plugin

Security checks across malware telemetry and agentic risk

Overview

The plugin appears purpose-built for erxes administration, but it needs review because it combines broad business-data mutation authority with durable OAuth secret persistence and owner-mode instructions.

Install only if you intend the agent to operate erxes with owner-level authority. Use the shortest acceptable auth duration, prefer a least-privilege OAuth client, verify destructive and outbound actions before approval, and use logout/reset on shared or less trusted machines.

VirusTotal

60/60 vendors flagged this plugin as clean.

View on VirusTotal

Static analysis

Detected: suspicious.exposed_secret_literal

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
lib/auth.mjs:63
Evidence
const accessToken = [REDACTED] ?? json.access_token;