File appears to expose a hardcoded API secret or token.
Critical
- Code
- suspicious.exposed_secret_literal
- Location
- src/accounts.ts:33
- Evidence
accessToken: [REDACTED],
Security audit
Security checks across malware telemetry and agentic risk
This QQ bot plugin is mostly coherent, but it gives the AI broad QQ control and includes keyword-triggered script execution that could run local commands from chat events if configured loosely.
Review the configuration before installing. Use allowlists for DMs and groups, set trusted admins only, keep the NapCat token secret, and do not enable keyword-triggered scripts unless you can tightly restrict who can trigger them and what they can run.
VirusTotal engine telemetry is currently stale for this artifact.
Detected: suspicious.exposed_secret_literal
accessToken: [REDACTED],
const accessToken = [REDACTED](account.config.accessToken);
accessToken: [REDACTED] || account.accessToken,
return { httpApi: account.httpApi, accessToken: [REDACTED] };