mol

This module contains a client-side model client that embeds numerous long token-like secrets and uses them to POST conversation history and attached files (converted to data URLs) to a third-party inference endpoint (models.github.ai). The presence of hard-coded bearer tokens in a frontend bundle and logic to iterate/rotate through them is a strong indicator of credential misuse (stolen or abused tokens) and poses a high privacy and supply-chain risk (exfiltration of user content and unauthorized use of credentials). Immediate recommendations: do not use this package in production; remove any hard-coded tokens; move model calls to a trusted server-side proxy under your control with proper consent, rate limits, and credential management; audit the provenance of any embedded keys and rotate/ revoke them if they were leaked. Further audit of all included tokens and confirmation with maintainers required.