File appears to expose a hardcoded API secret or token.
Critical
- Code
- suspicious.exposed_secret_literal
- Location
- dist/speech-provider.js:36
- Evidence
apiKey: [REDACTED](cfg.apiKey),
Security audit
Security checks across malware telemetry and agentic risk
This appears to be a straightforward Cartesia text-to-speech plugin; it uses a Cartesia API key, sends text to Cartesia for speech generation, and runs ffmpeg for audio conversion, all of which are disclosed and purpose-aligned.
Install only if you are comfortable sending TTS text to Cartesia, using a Cartesia API key, and running a trusted local ffmpeg binary for voice notes. Keep the default Cartesia endpoint unless you trust an alternative, store the API key securely, and enable suppressDuplicateText only if you want voice-only replies.
62/62 vendors flagged this plugin as clean.
Detected: suspicious.exposed_secret_literal
apiKey: [REDACTED](cfg.apiKey),
export CARTESIA_API_KEY=[REDACTED]