Environment variable access combined with network send.
Critical
- Code
- suspicious.env_credential_access
- Location
- scripts/daily-report.mjs:503
Security audit
Security checks across malware telemetry and agentic risk
This is a disclosed metals-market briefing skill that fetches public market data and can send the generated report to a user-configured Telegram chat.
Install only if you want an automated metals briefing that may post report contents to Telegram. Use a dedicated bot and channel, keep the token out of commits and logs, test with DRY_RUN before live sends, and pin the reviewed package or commit rather than relying on an unpinned clone. Verify market data independently before making financial decisions.
66/66 vendors flagged this skill as clean.
Detected: suspicious.env_credential_access