File appears to expose a hardcoded API secret or token.
- Code
- suspicious.exposed_secret_literal
- Location
- llm-client.ts:212
- Evidence
apiKey = [REDACTED];
Security audit
Security checks across malware telemetry and agentic risk
This canary memory skill mostly matches its stated purpose, but it needs review because it appears to ship an embedded API secret and includes tools that can modify persistent memories without a separate confirmation step.
Review before installing, especially because this is labeled as a canary build. Do not use an existing crypto wallet recovery phrase. Confirm that the publisher has removed or explained the reported hardcoded API key, and use the memory-deletion or consolidation tools only after previewing exactly what will change.
VirusTotal engine telemetry is currently stale for this artifact.
Detected: suspicious.exposed_secret_literal, suspicious.prompt_injection_instructions
apiKey = [REDACTED];
**System Prompt:**