Cue

Package: Cue (xpi) Version: 1.0.4 Description: Cue - 你的专属调研助理 / Your AI Research Assistant. A multi-agent deep research tool with persistent monitoring capabilities. ```json { "classification": "BENIGN", "summary": "The Cue package (v1.0.4) is an AI research assistant tool that has undergone a significant refactoring from a Bash-based architecture (v1.0.3) to a Node.js-based one. The provided source code and accompanying documentation (e.g., `SECURITY.md`, `RELEASE_v1.0.4_SECURE.md`) explicitly highlight and address several critical security vulnerabilities present in the previous version.\n\nKey security improvements in v1.0.4 include:\n1. **Isolated Credential Storage**: API keys are now securely stored in `~/.cuecue/.env.secure` with restricted file permissions (0o600), preventing exposure to other applications and fixing a high-severity vulnerability from v1.0.3 where keys were written to a shared environment file (`~/.openclaw/.env`).\n2. **File Permissions Control**: All sensitive directories (`~/.cuecue`) are created with 0o700 permissions, and files with 0o600, ensuring only the owner can access them.\n3. **No System-Level Modifications**: The package explicitly states it does not modify system-wide cron jobs (using `node-cron` for internal scheduling instead) and does not require root privileges, adhering to the principle of least privilege.\n4. **Transparent Metadata**: The `manifest.json` and `SECURITY.md` provide comprehensive declarations of required/optional environment