File appears to expose a hardcoded API secret or token.
Critical
- Code
- suspicious.exposed_secret_literal
- Location
- lib/auth.mjs:63
- Evidence
const accessToken = [REDACTED] ?? json.access_token;
Security audit
Security checks across malware telemetry and agentic risk
The plugin appears purpose-built for erxes administration, but it needs review because it combines broad business-data mutation authority with durable OAuth secret persistence and owner-mode instructions.
Install only if you intend the agent to operate erxes with owner-level authority. Use the shortest acceptable auth duration, prefer a least-privilege OAuth client, verify destructive and outbound actions before approval, and use logout/reset on shared or less trusted machines.
60/60 vendors flagged this plugin as clean.
Detected: suspicious.exposed_secret_literal
const accessToken = [REDACTED] ?? json.access_token;