Environment variable access combined with network send.
Critical
- Code
- suspicious.env_credential_access
- Location
- dist/index.cjs:40
- Evidence
const value = process.env[key];
Security audit
Security checks across malware telemetry and agentic risk
The plugin mostly matches its Baidu search purpose, but the submitted artifacts include real-looking credentials, including an npm publish token, which creates a serious review concern.
Treat this as a review-needed plugin until the publisher removes the .env file, rotates the exposed credentials, and republishes a clean artifact. The Baidu search functionality itself is coherent, but users should also understand that the agent can automatically send search queries to Baidu when the tool or hook is enabled.
VirusTotal engine telemetry is currently stale for this artifact.
Detected: suspicious.env_credential_access, suspicious.exposed_secret_literal
const value = process.env[key];
const value = process.env[key];
export BAIDU_API_KEY=[REDACTED]
apiKey: [REDACTED] ?? readEnvString(ENV_VAR_MAPPING.apiKey),
apiKey: [REDACTED] ?? readEnvString(ENV_VAR_MAPPING.apiKey),
apiKey: [REDACTED] ?? readEnvString(ENV_VAR_MAPPING.apiKey),