File appears to expose a hardcoded API secret or token.
Critical
- Code
- suspicious.exposed_secret_literal
- Location
- dist/index.mjs:9
- Evidence
const DEFAULT_CLIENT_SECRET = "[REDACTED]";
Security audit
Security checks across malware telemetry and agentic risk
The artifact review could not be completed because filesystem inspection failed, and no artifact-backed suspicious behavior was available to establish a Review or malicious verdict.
This result is inconclusive: the workspace read attempts failed with a sandbox initialization error, so the package should be rescanned when metadata.json and artifact/ can be inspected directly.
VirusTotal engine telemetry is currently stale for this artifact.
Detected: suspicious.exposed_secret_literal, suspicious.potential_exfiltration
const DEFAULT_CLIENT_SECRET = "[REDACTED]";
const raw = await readFile(tokenFile, "utf-8");