File appears to expose a hardcoded API secret or token.
Critical
- Code
- suspicious.exposed_secret_literal
- Location
- config.yaml:27
- Evidence
em_api_key: "[REDACTED]"
Security audit
Security checks across malware telemetry and agentic risk
This stock-analysis skill is mostly purpose-aligned, but it embeds an API key and sends finance queries to third-party services without clear privacy scoping or opt-in.
Install only if you are comfortable with finance symbols, search terms, and AI prompts being sent to external providers such as Eastmoney, Tencent, Baidu, Hexin, and news APIs. Remove and rotate the bundled Eastmoney API key before use, prefer your own secret via environment variable, and avoid entering proprietary trading strategies or sensitive portfolio details into the AI commands.
65/65 vendors flagged this plugin as clean.
Detected: suspicious.exposed_secret_literal
em_api_key: "[REDACTED]"
em_api_key: "[REDACTED]"