Environment variable access combined with network send.
Critical
- Code
- suspicious.env_credential_access
- Location
- scripts/live-smoke.mjs:1
- Evidence
const apiKey = process.env.HPC_AI_API_KEY;
Security audit
Security checks across malware telemetry and agentic risk
This appears to be a straightforward HPC-AI model provider plugin that asks for the expected HPC-AI API key and routes requests to the documented HPC-AI endpoint.
This plugin looks internally consistent. If you install it, expect to provide an HPC-AI API key, and only set HPC_AI_BASE_URL if you intentionally want to route model traffic through a trusted alternate endpoint or proxy. The metadata saying there are no env vars is worth noting, but the API key requirement itself is normal for this kind of provider.
VirusTotal engine telemetry is currently stale for this artifact.
Detected: suspicious.env_credential_access
const apiKey = process.env.HPC_AI_API_KEY;