Back to plugin
Pluginv0.13.0
Static analysis security
Package · Deterministic local checks for risky code patterns and metadata mismatches.
Scanner verdict
SuspiciousApr 27, 2026, 6:14 PM
- Summary
- Detected: suspicious.dangerous_exec, suspicious.env_credential_access, suspicious.potential_exfiltration
- Reason codes
- suspicious.dangerous_execsuspicious.env_credential_accesssuspicious.potential_exfiltration
- Engine
- v2.4.0
Evidence
criticaldist/mcp-server.js:2295
Shell command execution detected (child_process).
while ((m = re.exec(text)) !== null) {criticalsrc/tools/scaffold-browser-bridge-node.ts:191
Shell command execution detected (child_process).
`const proc = spawnSync('node', ['bin/browser-bridge.js', PLATFORM, ACTION], {\n` +criticaldist/mcp-server.js:420
Environment variable access combined with network send.
const fromEnv = (process.env[config.apiKeyEnv] ?? "").trim();
warndist/mcp-server.js:2545
File read combined with network send (possible exfiltration).
const text = await fs3.readFile(resolved, "utf8");
warnsrc/tools/diff-workflow.ts:90
File read combined with network send (possible exfiltration).
const text = await fs.readFile(resolved, "utf8");