critical
suspicious.exposed_secret_literal
- Location
- dist/index.mjs:9
- Finding
- File appears to expose a hardcoded API secret or token.
- Evidence
const DEFAULT_CLIENT_SECRET = "[REDACTED]";
旺小宝
AdvisoryAudited by Static analysis on May 14, 2026.
Overview
Detected: suspicious.exposed_secret_literal, suspicious.potential_exfiltration
Findings (2)
warn
suspicious.potential_exfiltration
- Location
- dist/index.mjs:3083
- Finding
- Sensitive-looking file read is paired with a network send.
- Evidence
const raw = await readFile(tokenFile, "utf-8");