Dynamic code execution detected.
- Code
- suspicious.dynamic_code_execution
- Location
- __tests__/build.test.ts:23
- Evidence
it("does not contain eval( calls", () => {
Security audit
Security checks across malware telemetry and agentic risk
This appears to be a legitimate Manifest LLM routing provider, though its metadata under-declares the Manifest API key and endpoint settings that the code can use.
Before installing, understand that using manifest/auto means your model requests will be routed through Manifest’s cloud service unless you deliberately configure another endpoint. The API key it asks for is relevant to the service, but the package metadata should ideally declare MANIFEST_API_KEY and the optional MANIFEST_ENDPOINT setting more clearly.
VirusTotal engine telemetry is currently stale for this artifact.
Detected: suspicious.dynamic_code_execution, suspicious.env_credential_access, suspicious.exposed_secret_literal
it("does not contain eval( calls", () => {"use strict";var ENV={API_KEY:"MANIFEST_API_KEY",ENDPOINT:"MANIFEST_ENDPOINT"},API_KEY_PREFIX="mnfst_",DEFAULTS={ENDPOINT:"https://app.manifest.build",SERVICE_N...const result = parseConfig({ apiKey: "[REDACTED]" });"use strict";var ENV={API_KEY:"[REDACTED]",ENDPOINT:"MANIFEST_ENDPOINT"},API_KEY_PREFIX="mnfst_",DEFAULTS={ENDPOINT:"https://app.manifest.build",SERVICE_NAME:"o..."sourcesContent": ["// Environment variable names (fallback when plugin config is missing)\nexport const ENV = {\n API_KEY: '[REDACTED]',\n ENDPOINT: 'MANIFES...API_KEY: '[REDACTED]',