Google Meet

AdvisoryAudited by Static analysis on May 10, 2026.

Overview

Detected: suspicious.dangerous_exec, suspicious.exposed_secret_literal

Findings (6)

critical

suspicious.dangerous_exec

Location: dist/index.js:611
Finding: Shell command execution detected (child_process).
Evidence: const spawnFn = params.spawn ?? ((command, args, options) => spawn(command, args, options));

critical

suspicious.exposed_secret_literal

Location: dist/chrome-create-B0wV2zaj.js:137
Finding: File appears to expose a hardcoded API secret or token.
Evidence: accessToken: [REDACTED],

critical

suspicious.exposed_secret_literal

Location: dist/cli-CP1gp7Wl.js:166
Finding: File appears to expose a hardcoded API secret or token.
Evidence: const clientSecret = [REDACTED]?.trim() || config.oauth.clientSecret;

critical

suspicious.exposed_secret_literal

Location: dist/create-mHH3keLH.js:39
Finding: File appears to expose a hardcoded API secret or token.
Evidence: clientSecret: [REDACTED](raw.clientSecret) ?? config.oauth.clientSecret,

critical

suspicious.exposed_secret_literal

Location: dist/index.js:329
Finding: File appears to expose a hardcoded API secret or token.
Evidence: clientSecret: [REDACTED](oauth.clientSecret) ?? [REDACTED](auth.clientSecret) ?? readEnvString(env, GOOGLE_MEET_CLIENT_SECRET_KEYS),

critical

suspicious.exposed_secret_literal

Location: dist/oauth-BJwzuzT-.js:50
Finding: File appears to expose a hardcoded API secret or token.
Evidence: const accessToken = [REDACTED]?.trim();