Environment variable access combined with network send.
Critical
- Code
- suspicious.env_credential_access
- Location
- dist/index.js:4298
- Evidence
const key = apiKey ?? process.env.EBB_ELECTRICITY_MAPS_API_KEY;
Security audit
Security checks across malware telemetry and agentic risk
This plugin appears purpose-built for carbon-aware task deferral, but it needs review because it can automatically queue background AI work and later send results to arbitrary webhooks, Telegram, or filesystem paths.
Install only if you are comfortable with a startup-activated scheduler that stores queued prompts/results locally and can run them later through OpenAI, Anthropic, or the OpenClaw runtime. Avoid using webhook or file delivery unless you fully trust the destination/path, and prefer explicit scheduling language plus chat or queue-only delivery for sensitive tasks.
61/61 vendors flagged this plugin as clean.
Detected: suspicious.env_credential_access
const key = apiKey ?? process.env.EBB_ELECTRICITY_MAPS_API_KEY;