Shell command execution detected (child_process).
- Code
- suspicious.dangerous_exec
- Location
- index.ts:40
- Evidence
version = execFileSync(snipBin, ["--version"], { encoding: "utf-8" }).trim();
Security audit
Security checks across malware telemetry and agentic risk
This skill appears to do what it claims: it adds a snip-based wrapper for shell commands to reduce CLI output, without asking for unrelated credentials or sending data to unexpected services.
This looks internally coherent, but remember that it is effectively a shell-command wrapper: the agent can use it to run commands on your machine, just with output filtered through `snip`. Before installing, verify that you trust both this plugin and the external `snip` binary from the author's tap/GitHub project. Also note the metadata mismatch: the registry says no binary is required, but in practice `snip` must be installed for the skill to work.
VirusTotal engine telemetry is currently stale for this artifact.
Detected: suspicious.dangerous_exec
version = execFileSync(snipBin, ["--version"], { encoding: "utf-8" }).trim();const child = spawn(snipBin, ["--", params.command], {