Environment variable access combined with network send.
Critical
- Code
- suspicious.env_credential_access
- Location
- dist/index.js:46
- Evidence
apiKey: cfg.llmApiKey ?? process.env.DASHSCOPE_API_KEY ?? ""
Security audit
Security checks across malware telemetry and agentic risk
ClawNexus matches a team RAG purpose, but it includes automatic conversation collection and sharing with an external LLM and configured team server, which needs careful review before use.
Install only in a trusted team environment. Before enabling it, confirm the serverUrl, secret, and LLM endpoints, avoid using it in chats containing secrets or sensitive client data, and ask for clear opt-out, redaction, retention, and access-control settings.
61/61 vendors flagged this plugin as clean.
Detected: suspicious.env_credential_access
apiKey: cfg.llmApiKey ?? process.env.DASHSCOPE_API_KEY ?? ""