Google Meet

AdvisoryAudited by Static analysis on May 20, 2026.

Overview

Detected: suspicious.dangerous_exec, suspicious.exposed_secret_literal

Findings (6)

critical

suspicious.dangerous_exec

Location: dist/index.js:653
Finding: Shell command execution detected (child_process).
Evidence: const spawnFn = params.spawn ?? ((command, args, options) => spawn(command, args, options));

critical

suspicious.exposed_secret_literal

Location: dist/chrome-create-Bd4beDZU.js:138
Finding: File appears to expose a hardcoded API secret or token.
Evidence: accessToken: [REDACTED],

critical

suspicious.exposed_secret_literal

Location: dist/cli-hjf5xNts.js:166
Finding: File appears to expose a hardcoded API secret or token.
Evidence: const clientSecret = [REDACTED]?.trim() || config.oauth.clientSecret;

critical

suspicious.exposed_secret_literal

Location: dist/create-CJGiIpwq.js:39
Finding: File appears to expose a hardcoded API secret or token.
Evidence: clientSecret: [REDACTED](raw.clientSecret) ?? config.oauth.clientSecret,

critical

suspicious.exposed_secret_literal

Location: dist/index.js:330
Finding: File appears to expose a hardcoded API secret or token.
Evidence: clientSecret: [REDACTED](oauth.clientSecret) ?? [REDACTED](auth.clientSecret) ?? readEnvString(env, GOOGLE_MEET_CLIENT_SECRET_KEYS),

critical

suspicious.exposed_secret_literal

Location: dist/oauth-BJwzuzT-.js:50
Finding: File appears to expose a hardcoded API secret or token.
Evidence: const accessToken = [REDACTED]?.trim();