ClawHub
Back to plugin
Pluginv0.4.3

Static analysis security

Neotoma · Deterministic local checks for risky code patterns and metadata mismatches.

Scanner verdict

SuspiciousApr 15, 2026, 9:37 AM
Summary
Detected: suspicious.dangerous_exec, suspicious.env_credential_access, suspicious.potential_exfiltration
Reason codes
suspicious.dangerous_execsuspicious.env_credential_accesssuspicious.potential_exfiltration
Engine
v2.4.0

Evidence

criticaldist/cli/index.js:592
Shell command execution detected (child_process).
const child = spawn(process.argv[0], [process.argv[1], "init"], {
criticaldist/cli/mcp_config_scan.js:889
Shell command execution detected (child_process).
execSync("npm run sync:mcp", {
criticaldist/mcp_ws_bridge.js:89
Shell command execution detected (child_process).
child = spawn(MCP_CMD, MCP_ARGS, {
criticaldist/services/schema_registry.js:1029
Shell command execution detected (child_process).
const child = spawn("tsx", [scriptPath], {
criticaldist/shared/local_transport.js:63
Shell command execution detected (child_process).
localApiChild = spawn(process.execPath, [actionsPath], {
criticaldist/actions.js:53
Environment variable access combined with network send.
origin: process.env.NEOTOMA_FRONTEND_URL || process.env.FRONTEND_URL || "http://localhost:5195",
criticaldist/cli/index.js:87
Environment variable access combined with network send.
process.env.NEOTOMA_USE_READLINE === "1" ||
criticaldist/server.js:152
Environment variable access combined with network send.
(!isHTTPTransport ? process.env.NEOTOMA_CONNECTION_ID : undefined);
criticaldist/services/interpretation.js:90
Environment variable access combined with network send.
if (process.env.NEOTOMA_ENV !== "production") {
criticaldist/services/mcp_oauth.js:36
Environment variable access combined with network send.
const ENCRYPTION_KEY = process.env.NEOTOMA_MCP_TOKEN_ENCRYPTION_KEY ||
criticaldist/shared/api_client.js:12
Environment variable access combined with network send.
const defaultFallback = process.env.NODE_ENV === "test"
criticaldist/shared/local_transport.js:66
Environment variable access combined with network send.
...process.env,
warndist/actions.js:2626
File read combined with network send (possible exfiltration).
const fileBuffer = fs.readFileSync(resolvedPath);
warndist/cli/index.js:467
File read combined with network send (possible exfiltration).
const raw = await fs.readFile(pkgPath, "utf-8");
warndist/server.js:8
File read combined with network send (possible exfiltration).
import { readFileSync } from "node:fs";