Shell command execution detected (child_process).
Critical
- Code
- suspicious.dangerous_exec
- Location
- build.cjs:9
- Evidence
execSync('npx tsc --skipLibCheck', {
Security audit
Security checks across malware telemetry and agentic risk
The skill appears to be a real WeChat P2P channel, but it stores account tokens and can run recurring automatic broadcasts, so it should be reviewed before use.
Review this carefully before installing. Use it only if you trust the publisher, prefer a dedicated WeChat account, set a real TURN_SHARED_SECRET if using TURN, pin or review the npx installer, and disable or tightly configure the 30-minute broadcast feature unless you explicitly want automated outbound P2P/WeChat broadcasts.
VirusTotal engine telemetry is currently stale for this artifact.
Detected: suspicious.dangerous_exec, suspicious.dynamic_code_execution, suspicious.env_credential_access (+1 more)
execSync('npx tsc --skipLibCheck', {'<script', 'javascript:', 'eval(', 'document.cookie','eval(','onclick=', 'onmouseover=', 'eval(', 'document.cookie''<script', 'javascript:', 'eval(', 'document.cookie','eval(','onclick=', 'onmouseover=', 'eval(', 'document.cookie'fallbackSecret: process.env.TURN_SHARED_SECRET || 'local-dev-secret-key-2024',
fallbackSecret: process.env.TURN_SHARED_SECRET || 'local-dev-secret-key-2024',
logger.debug(`requestHeaders: ${JSON.stringify({ ...headers, Authorization: [REDACTED] ? "Bearer ***" : undefined })}`);`requestHeaders: ${JSON.stringify({ ...headers, Authorization: [REDACTED] ? "Bearer ***" : undefined })}`,password: '[REDACTED]',
password: '[REDACTED]',