File appears to expose a hardcoded API secret or token.
Critical
- Code
- suspicious.exposed_secret_literal
- Location
- dist/src/config.js:68
- Evidence
let accessToken = [REDACTED];
Security audit
Security checks across malware telemetry and agentic risk
The plugin largely matches its QQ messaging purpose, but it needs review because its voice conversion path can execute shell commands with insufficiently safe path handling.
Install only if you trust the publisher and can accept local code execution risk from the voice feature. Keep OneBot endpoints on localhost or a trusted network, configure a strong access token and allowFrom, use a dedicated sharedDir, and avoid running the optional CLI sync unless you have reviewed it and need that compatibility patch.
64/64 vendors flagged this plugin as clean.
Detected: suspicious.exposed_secret_literal
let accessToken = [REDACTED];