Back to plugin

Security audit

Code Search

Security checks across malware telemetry and agentic risk

Overview

This appears to be a disclosed read-only connector to a local code-search API, but it can return indexed source code to the agent and can send an optional API key to the configured service.

Install if you want your agent to query an existing code-search-api index. Verify the configured URL is trusted, use a dedicated API key if needed, and be aware that search results may include local source code from the index.

VirusTotal

VirusTotal engine telemetry is currently stale for this artifact.

View on VirusTotal

Static analysis

Detected: suspicious.env_credential_access, suspicious.exposed_secret_literal

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
dist/index.cjs:109
Evidence
function getConfig(env = process.env) {

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
dist/index.js:86
Evidence
function getConfig(env = process.env) {

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
index.mjs:4
Evidence
const url = normalizeUrl(String(pluginConfig.url || process.env.CODE_SEARCH_API_URL || DEFAULT_URL));

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
dist/index.cjs:112
Evidence
const apiKey = [REDACTED]?.trim();

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
dist/index.cjs.map:1
Evidence
{"version":3,"sources":["../src/index.ts","../src/client.ts","../src/config.ts","../src/tools/code-search.ts","../src/tools/_util.ts"],"sourcesContent":["import...

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
dist/index.js:89
Evidence
const apiKey = [REDACTED]?.trim();

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
dist/index.js.map:1
Evidence
{"version":3,"sources":["../src/index.ts","../src/client.ts","../src/config.ts","../src/tools/code-search.ts","../src/tools/_util.ts"],"sourcesContent":["import...