Back to plugin

Security audit

Corev

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate Corev configuration-management plugin, but users should know it runs local code and host-management commands rather than being purely instructional.

This looks internally consistent with a Corev DevOps/config-management plugin. Before installing, treat it as an active code-running plugin: it can execute Corev/local host commands, write a server .env file, start local processes, and use configurable start/stop/create-user commands. Install it only in a trusted working directory, review any hostStartCommand/hostStopCommand values before use, and only allowlist mutating tools like push, revert, checkout, init, or host bootstrap if you intend the agent to make those changes.

VirusTotal

VirusTotal engine telemetry is currently stale for this artifact.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec, suspicious.env_credential_access, suspicious.exposed_secret_literal

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
index.ts:418
Evidence
const child = spawn(command, args, {

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
tests/cli.integration.test.ts:56
Evidence
mockServer = spawn('node', ['tests/mock-api.mjs'], {

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
tests/e2e.live.test.ts:121
Evidence
const {stdout, stderr} = await execFile(command, args, {

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
index.ts:136
Evidence
return asString(params.mongoUri) || asString(pluginConfig.hostMongoUri) || asString(process.env.MONGO_URI);

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
tests/e2e.live.test.ts:34
Evidence
const runLive = process.env.COREV_LIVE_E2E === '1';

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
index.ts:345
Evidence
const password = [REDACTED](params);

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
src/host/server/src/api/middlewares/auth.middleware.ts:55
Evidence
*   Authorization: Bearer [REDACTED]