Environment variable access combined with network send.
- Code
- suspicious.env_credential_access
- Location
- dist/bin/bulletin-post.js:93
- Evidence
return process.env.GATEWAY_AUTH_TOKEN || secrets.GATEWAY_AUTH_TOKEN;
Security audit
Security checks across malware telemetry and agentic risk
This is a real multi-agent bulletin and Discord coordination tool; it uses sensitive tokens and wakes agents, but those behaviors are documented and aligned with its purpose.
Install only if you want bulletin content, responses, critiques, and closure summaries stored locally and sent to the Discord channels you configure, and if you are comfortable with subscribed agents being woken automatically. Keep agent groups narrow, use least-privilege Discord and Gateway tokens, restrict channel permissions, and do not put secrets or sensitive customer, HR, legal, or finance data in bulletins unless those systems are approved for it.
62/62 vendors flagged this plugin as clean.
Detected: suspicious.env_credential_access
return process.env.GATEWAY_AUTH_TOKEN || secrets.GATEWAY_AUTH_TOKEN;
const botToken = resolveConfigToken(cfg.botToken) ?? process.env.RELAY_BOT_TOKEN;
const botToken = resolveConfigToken(cfg.botToken) ?? process.env.RELAY_BOT_TOKEN;