critical
suspicious.env_credential_access
- Location
- src/lib/gift-proof-helpers.js:45
- Finding
- Environment variable access combined with network send.
- Evidence
export function resolveBasememeApiToken(options = {}, env = process.env) {
Basememe AI
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
Detected: suspicious.env_credential_access, suspicious.exposed_secret_literal
Findings (2)
critical
suspicious.exposed_secret_literal
- Location
- src/commands/gift-proof-submit.js:99
- Finding
- File appears to expose a hardcoded API secret or token.
- Evidence
const bearer = [REDACTED](options);