Back to plugin
Pluginv1.0.7
Static analysis security
matchclaw-plugin · Deterministic local checks for risky code patterns and metadata mismatches.
Scanner verdict
SuspiciousApr 24, 2026, 1:18 AM
- Summary
- Detected: suspicious.dangerous_exec, suspicious.env_credential_access, suspicious.potential_exfiltration
- Reason codes
- suspicious.dangerous_execsuspicious.env_credential_accesssuspicious.potential_exfiltration
- Engine
- v2.4.0
Evidence
criticaldist/index.js:442
Shell command execution detected (child_process).
const pollResult = spawnSync(process.execPath, [pollEntryPoint], {criticalscripts/bridge.sh:191
Shell command execution detected (child_process).
const r = spawnSync('matchclaw', [criticalsrc/index.ts:598
Shell command execution detected (child_process).
const pollResult = spawnSync(
criticaldist/inbox.js:41
Environment variable access combined with network send.
const EOSE_TIMEOUT_MS = Number(process.env["MATCHCLAW_POLL_EOSE_TIMEOUT_MS"]) || 20_000;
criticaldist/pool.js:8
Environment variable access combined with network send.
return (process.env["MATCHER_REGISTRY_URL"] ??
criticalsrc/inbox.ts:54
Environment variable access combined with network send.
const EOSE_TIMEOUT_MS = Number(process.env["MATCHCLAW_POLL_EOSE_TIMEOUT_MS"]) || 20_000;
criticalsrc/pool.ts:15
Environment variable access combined with network send.
process.env["MATCHER_REGISTRY_URL"] ??
warndist/inbox.js:20
File read combined with network send (possible exfiltration).
import { readFileSync, writeFileSync, existsSync, mkdirSync } from "node:fs";warndist/pool.js:1
File read combined with network send (possible exfiltration).
import { readFile, writeFile } from "node:fs/promises";warnsrc/inbox.ts:21
File read combined with network send (possible exfiltration).
import { readFileSync, writeFileSync, existsSync, mkdirSync } from "node:fs";warnsrc/pool.ts:1
File read combined with network send (possible exfiltration).
import { readFile, writeFile } from "node:fs/promises";