File appears to expose a hardcoded API secret or token.
- Code
- suspicious.exposed_secret_literal
- Location
- scripts/migrate-sqlite-to-tcvdb/dist/scripts/migrate-sqlite-to-tcvdb/sqlite-to-tcvdb.js:158
- Evidence
apiKey: [REDACTED],
Security audit
Security checks across malware telemetry and agentic risk
The memory plugin mostly matches its stated purpose, but it needs review because the artifacts report hardcoded API-key literals and the plugin persistently records and reuses conversation data.
Before installing, verify that the reported hardcoded API-key literals are removed or harmless, and use your own credentials only. If you use the plugin, treat it as a long-term memory system: set retention limits, exclude sensitive agents or sessions, review stored memories/persona files, and use the remote TCVDB backend only if you trust that storage location and configuration.
VirusTotal engine telemetry is currently stale for this artifact.
Detected: suspicious.exposed_secret_literal
apiKey: [REDACTED],
apiKey: [REDACTED],