Back to plugin

Security audit

@gecho-ai/gecho-bridge-bundle

Security checks across malware telemetry and agentic risk

Overview

This TikTok research bridge mostly does what it advertises, but it starts a persistent local service tied to a logged-in browser session and exposes under-protected local control endpoints.

Install only if you are comfortable letting a local Node service communicate with a Chrome extension connected to your logged-in TikTok session. Use a dedicated save directory, review or delete saved JSON results, avoid shared machines for sensitive research, and be aware that other local processes may be able to reach the service while it is running.

VirusTotal

63/63 vendors flagged this plugin as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec, suspicious.dynamic_code_execution

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
dist/mcp-client.cjs:28993
Evidence
const matches = RELATIVE_JSON_POINTER.exec($data);

Dynamic code execution detected.

Critical
Code
suspicious.dynamic_code_execution
Location
dist/mcp-client.cjs:29142
Evidence
const makeValidate = new Function(`${names_1.default.self}`, `${names_1.default.scope}`, sourceCode);