Environment variable access combined with network send.
Critical
- Code
- suspicious.env_credential_access
- Location
- dist/index.cjs:109
- Evidence
function getConfig(env = process.env) {
Security audit
Security checks across malware telemetry and agentic risk
This appears to be a disclosed read-only connector to a local code-search API, but it can return indexed source code to the agent and can send an optional API key to the configured service.
Install if you want your agent to query an existing code-search-api index. Verify the configured URL is trusted, use a dedicated API key if needed, and be aware that search results may include local source code from the index.
VirusTotal engine telemetry is currently stale for this artifact.
Detected: suspicious.env_credential_access, suspicious.exposed_secret_literal
function getConfig(env = process.env) {function getConfig(env = process.env) {const url = normalizeUrl(String(pluginConfig.url || process.env.CODE_SEARCH_API_URL || DEFAULT_URL));
const apiKey = [REDACTED]?.trim();
{"version":3,"sources":["../src/index.ts","../src/client.ts","../src/config.ts","../src/tools/code-search.ts","../src/tools/_util.ts"],"sourcesContent":["import...const apiKey = [REDACTED]?.trim();
{"version":3,"sources":["../src/index.ts","../src/client.ts","../src/config.ts","../src/tools/code-search.ts","../src/tools/_util.ts"],"sourcesContent":["import...