Environment variable access combined with network send.
Critical
- Code
- suspicious.env_credential_access
- Location
- lib/embedding.js:29
- Evidence
return process.env.OPENAI_API_KEY || null;
Security audit
Security checks across malware telemetry and agentic risk
The memory features match the stated purpose, but the skill automatically records conversations, runs silent background memory jobs, and can use an OpenAI key, so it needs careful review before installation.
Install only if you intentionally want automatic long-term memory. Before enabling it, review setup.sh and the cron configuration, decide whether OpenAI embeddings are acceptable, remove or clarify the notify-bot job, and verify that you have ways to inspect, delete, export, and disable stored memories and background jobs.
VirusTotal engine telemetry is currently stale for this artifact.
Detected: suspicious.env_credential_access
return process.env.OPENAI_API_KEY || null;