Environment variable access combined with network send.
- Code
- suspicious.env_credential_access
- Location
- index.js:54
- Evidence
if (process.env.SMARTKV_API_KEY) {
Security audit
Security checks across malware telemetry and agentic risk
This plugin appears to do what it says, but it sends API keys and request data to a default plain-HTTP raw IP endpoint, which is unsafe enough to require review before use.
Install only if you trust the SmartKV backend operator and can configure a trusted HTTPS baseUrl before use. Avoid relying on environment fallbacks, especially IMAGE_API_KEY, because the plugin may send that value as the SmartKV API key. The artifact does not show destructive behavior or hidden file access, but the default network security posture is weak for any real credential.
63/63 vendors flagged this plugin as clean.
Detected: suspicious.env_credential_access, suspicious.exposed_secret_literal, suspicious.install_untrusted_source
if (process.env.SMARTKV_API_KEY) {const apiKey = [REDACTED](config, overrides);
"description": "SmartKV API base URL, for example http://1.94.23.191:9090/api/v1.",