Environment variable access combined with network send.
- Code
- suspicious.env_credential_access
- Location
- dist/index.cjs:153
- Evidence
var env = process.env;
Security audit
Security checks across malware telemetry and agentic risk
This appears to be a real IM channel plugin, but it should be reviewed because it handles chat credentials and tokens while the bundled SDK/code shows a possible hardcoded authorization secret and provenance ambiguity.
Install only if you trust the publisher and the IM provider. Before enabling it, verify the hardcoded Authorization finding, restrict file roots and endpoint environment overrides, understand that the plugin stores tokens/logs under ~/.liangzimixin, and treat all incoming chat messages as untrusted agent input.
VirusTotal engine telemetry is currently stale for this artifact.
Detected: suspicious.env_credential_access, suspicious.exposed_secret_literal, suspicious.obfuscated_code
var env = process.env;
var env = process.env;
accessToken: [REDACTED],
const response = await http2.post(url, data, { headers: { Authorization: [REDACTED] } });accessToken: [REDACTED],
req.end(Buffer.from(jsonStringify(options, this.options.replacer), "utf8"));
req.end(Buffer.from(jsonStringify(options, this.options.replacer), "utf8"));