Environment variable access combined with network send.
Critical
- Code
- suspicious.env_credential_access
- Location
- dist/index.js:4240
- Evidence
const b64 = process.env.FIDACY_SIGNING_KEY_B64;
Security audit
Security checks across malware telemetry and agentic risk
This payment-firewall plugin has disclosed local state, network, and credential use that fit its stated purpose, with no evidence of hidden exfiltration or destructive behavior.
Install only if you want an agent payment-control layer that keeps local audit state and may contact Fidacy services by default. Review the ~/.fidacy state files, set FIDACY_DISABLE_TELEMETRY=1 and/or FIDACY_DISABLE_PROVISION=1 if you do not want default background telemetry/provisioning, and configure engineApiKey/engineUrl only for a Fidacy endpoint you trust.
60/60 vendors flagged this plugin as clean.
Detected: suspicious.env_credential_access, suspicious.exposed_secret_literal
const b64 = process.env.FIDACY_SIGNING_KEY_B64;
const apiKey = [REDACTED] ?? process.env.FIDACY_ENGINE_API_KEY ?? "").trim();