File appears to expose a hardcoded API secret or token.
- Code
- suspicious.exposed_secret_literal
- Location
- dist/src/speech-provider.js:50
- Evidence
apiKey: [REDACTED]({
Security audit
Security checks across malware telemetry and agentic risk
This appears to be a coherent Mistral/Voxtral speech plugin, with no unrelated credential or system access apparent from the provided files.
Before installing, understand that text sent for speech synthesis and audio sent for transcription will be sent to Mistral using your Mistral API key, or to whatever custom base URL you configure. The main caveat is that the provided evaluation data omits/truncates some source and built files, so a full source review would increase confidence, but the visible behavior is internally consistent with a Voxtral/Mistral speech integration.
VirusTotal engine telemetry is currently stale for this artifact.
Detected: suspicious.exposed_secret_literal
apiKey: [REDACTED]({apiKey: [REDACTED]({apiKey: [REDACTED]({apiKey: [REDACTED]({