Back to plugin

Security audit

TencentDB Agent Memory

Security checks across malware telemetry and agentic risk

Overview

The memory plugin mostly matches its stated purpose, but it needs review because the artifacts report hardcoded API-key literals and the plugin persistently records and reuses conversation data.

Before installing, verify that the reported hardcoded API-key literals are removed or harmless, and use your own credentials only. If you use the plugin, treat it as a long-term memory system: set retention limits, exclude sensitive agents or sessions, review stored memories/persona files, and use the remote TCVDB backend only if you trust that storage location and configuration.

VirusTotal

VirusTotal engine telemetry is currently stale for this artifact.

View on VirusTotal

Static analysis

Detected: suspicious.exposed_secret_literal

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
scripts/migrate-sqlite-to-tcvdb/dist/scripts/migrate-sqlite-to-tcvdb/sqlite-to-tcvdb.js:158
Evidence
apiKey: [REDACTED],

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
src/store/factory.ts:98
Evidence
apiKey: [REDACTED],