Back to plugin

Security audit

Bulletin Tools

Security checks across malware telemetry and agentic risk

Overview

This is a real multi-agent bulletin and Discord coordination tool; it uses sensitive tokens and wakes agents, but those behaviors are documented and aligned with its purpose.

Install only if you want bulletin content, responses, critiques, and closure summaries stored locally and sent to the Discord channels you configure, and if you are comfortable with subscribed agents being woken automatically. Keep agent groups narrow, use least-privilege Discord and Gateway tokens, restrict channel permissions, and do not put secrets or sensitive customer, HR, legal, or finance data in bulletins unless those systems are approved for it.

VirusTotal

62/62 vendors flagged this plugin as clean.

View on VirusTotal

Static analysis

Detected: suspicious.env_credential_access

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
dist/bin/bulletin-post.js:93
Evidence
return process.env.GATEWAY_AUTH_TOKEN || secrets.GATEWAY_AUTH_TOKEN;

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
dist/index.js:31
Evidence
const botToken = resolveConfigToken(cfg.botToken) ?? process.env.RELAY_BOT_TOKEN;

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
index.ts:72
Evidence
const botToken = resolveConfigToken(cfg.botToken) ?? process.env.RELAY_BOT_TOKEN;