Shell command execution detected (child_process).
- Code
- suspicious.dangerous_exec
- Location
- dist/index.mjs:8856
- Evidence
var match = EXTRACT_TYPE_REGEXP.exec(type);
Security audit
Security checks across malware telemetry and agentic risk
This looks like a real security-monitoring plugin, but its code shows under-disclosed credential handling, a hardcoded secret-like value, TLS verification bypass, and shell command execution that should be reviewed before use.
Install only if you trust the publisher and are comfortable with a local monitoring plugin that can inspect MCP configs, store audit activity, run scanner commands, and make network requests. Before enabling it, review the request and credential-handling code, keep TLS verification enabled, remove or rotate any embedded secret, restrict monitored paths, and run it with the least environment access possible.
VirusTotal engine telemetry is currently stale for this artifact.
Detected: suspicious.dangerous_exec, suspicious.dynamic_code_execution, suspicious.env_credential_access (+2 more)
var match = EXTRACT_TYPE_REGEXP.exec(type);
execSync(command, {const output = execSync(cmd, { stdio: "pipe" }).toString().trim();name: "socat exec (reverse shell / command relay)",
const auditOutput = execSync(
const output = execSync(cmd, {*/var Gv=Kv("renderState"),zv=function(){function t(e){b(this,t),this.renderQueue=[],Object.defineProperty(this,Gv,{writable:!0,value:{restoreStack:[],prevObjec...*/var Gv=Kv("renderState"),zv=function(){function t(e){b(this,t),this.renderQueue=[],Object.defineProperty(this,Gv,{writable:!0,value:{restoreStack:[],prevObjec...return process.env[key.toLowerCase()] || process.env[key.toUpperCase()] || "";
const password = [REDACTED] || "";
httpsAgent: !verifySsl ? new https2.Agent({ rejectUnauthorized: false }) : void 0,? new https.Agent({ rejectUnauthorized: false })