Back to plugin

Security audit

SmartKV Image Generator

Security checks across malware telemetry and agentic risk

Overview

This plugin appears to do what it says, but it sends API keys and request data to a default plain-HTTP raw IP endpoint, which is unsafe enough to require review before use.

Install only if you trust the SmartKV backend operator and can configure a trusted HTTPS baseUrl before use. Avoid relying on environment fallbacks, especially IMAGE_API_KEY, because the plugin may send that value as the SmartKV API key. The artifact does not show destructive behavior or hidden file access, but the default network security posture is weak for any real credential.

VirusTotal

63/63 vendors flagged this plugin as clean.

View on VirusTotal

Static analysis

Detected: suspicious.env_credential_access, suspicious.exposed_secret_literal, suspicious.install_untrusted_source

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
index.js:54
Evidence
if (process.env.SMARTKV_API_KEY) {

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
index.js:78
Evidence
const apiKey = [REDACTED](config, overrides);

Install source points to URL shortener or raw IP.

Warn
Code
suspicious.install_untrusted_source
Location
openclaw.plugin.json:19
Evidence
"description": "SmartKV API base URL, for example http://1.94.23.191:9090/api/v1.",