Environment variable access combined with network send.
Critical
- Code
- suspicious.env_credential_access
- Location
- index.ts:5
- Evidence
const apiKey = api.pluginConfig?.apiKey || process.env.MIMO_API_KEY;
Security audit
Security checks across malware telemetry and agentic risk
This plugin appears to do the advertised speech-to-text job, but it uploads the selected local audio file and MiMo API key to an external endpoint, so users should configure it carefully.
This looks like a normal API-backed speech-to-text plugin. Before enabling it, confirm you trust the MiMo endpoint, provide a dedicated API key if possible, and only let it process audio files you intend to upload for transcription.
VirusTotal engine telemetry is currently stale for this artifact.
Detected: suspicious.env_credential_access, suspicious.exposed_secret_literal
const apiKey = api.pluginConfig?.apiKey || process.env.MIMO_API_KEY;
const KEY = process.env.MIMO_API_KEY;
const apiKey = [REDACTED]?.apiKey || process.env.MIMO_API_KEY;