Shell command execution detected (child_process).
- Code
- suspicious.dangerous_exec
- Location
- dist/src/cli/process-runner.js:3
- Evidence
const child = spawn(command, args, {
Security audit
Security checks across malware telemetry and agentic risk
This appears to be a genuine materials-science research plugin, with Python and Materials Project access that matches its stated purpose.
This skill looks internally consistent with what it claims to do. Before installing, make sure you trust the npm/GitHub source and are comfortable running its Python setup, which installs scientific packages such as mp-api, pymatgen, ASE, and matplotlib. Only provide a Materials Project API key if you need live Materials Project queries; otherwise it can operate in offline/mock mode. Also review the configured workspaceRoot so generated notes, reports, plots, and structures are written where you expect.
VirusTotal engine telemetry is currently stale for this artifact.
Detected: suspicious.dangerous_exec, suspicious.exposed_secret_literal
const child = spawn(command, args, {const child = spawn(pythonPath, ["-m", "materials_lab.worker"], {const child = spawn(command, args, {const child = spawn(pythonPath, ["-m", "materials_lab.worker"], {MATERIALS_PROJECT_API_KEY: [REDACTED],
MATERIALS_PROJECT_API_KEY: [REDACTED],