File appears to expose a hardcoded API secret or token.
Critical
- Code
- suspicious.exposed_secret_literal
- Location
- dist/index.mjs:4060
- Evidence
secretKey: [REDACTED],
Security audit
Security checks across malware telemetry and agentic risk
The plugin’s Langfuse tracing and prompt features are mostly disclosed, but the packaged code shows a hardcoded secret-looking key and broad automatic trace/session export that users should review before installing.
Install only if you trust the publisher and the configured Langfuse destination. Before enabling it, inspect the bundle for the flagged secret, confirm what trace data is sent and redacted, use a trusted or self-hosted Langfuse instance for sensitive work, and be careful with prompt rules that replace system prompts.
VirusTotal engine telemetry is currently stale for this artifact.
Detected: suspicious.exposed_secret_literal, suspicious.potential_exfiltration
secretKey: [REDACTED],
raw = fs2.readFileSync(sessionFile, "utf-8");