File appears to expose a hardcoded API secret or token.
Critical
- Code
- suspicious.exposed_secret_literal
- Location
- dist/index.js:82
- Evidence
clientSecret: [REDACTED],
Security audit
Security checks across malware telemetry and agentic risk
This appears to be a legitimate Kinde integration, but it handles sensitive identity and authorization data with too little visible scoping and logs more auth context than users should assume is safe.
Install only for trusted operators who are allowed to see Kinde tenant, user, organization, permission, and feature-flag data. Before use, configure least-privilege Kinde credentials, restrict which agents or users can call the tools, and review log handling so session identifiers and permission lists are redacted or retained only in protected audit systems.
62/62 vendors flagged this plugin as clean.
Detected: suspicious.exposed_secret_literal
clientSecret: [REDACTED],
clientSecret: [REDACTED],