MAL-2026-4749

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (677eed2b8b2630ec8e88b29d7ae3d9d49fc0d0c18230cc51b24d8102cdb151ee) Every advertised function in this package (ask_llm, pink, america, iran, momo, abc, bcd, code, sf, liti, koko, init, dropnull, hellp, lc) instantiates a Groq client using a hardcoded `gsk_...` API key owned by the package author and forwards the caller-supplied `prompt` argument to api.groq.com via `client.chat.completions.create`. Callers cannot supply their own key; the public API has no parameter or env-var override. As a result, any prompt content passed into these functions — which may contain proprietary data, customer input, or secrets — is routed through the author's Groq account, where the author can read it via their dashboard. 17 distinct hardcoded Groq keys are shipped across ai_helper.py, abc.py, america.py, bcd.py, code.py, dropnull.py, hellp.py, init.py, iran.py, koko.py, lc.py, liti.py, momo.py, pink.py, and sf.py. The package metadata reinforces the assessment: README references an unrelated `sample_package` with `add`/`greet` examples that don't exist in the source, the package and module names are nonsensical, and there is no documented legitimate purpose for the relay.