Shell command execution detected (child_process).
- Code
- suspicious.dangerous_exec
- Location
- dist/plugin.js:381
- Evidence
agentProcess = spawn(process.execPath, [entryFile], {
Security audit
Security checks across malware telemetry and agentic risk
The phone-call purpose is coherent, but the package ships apparent secrets and runs a background voice bridge that can read account tokens, place calls, send text to external LLMs, and save call transcripts with unclear controls.
Treat this as needing review before installation. Do not install unless you trust the publisher and are comfortable with a background voice bridge using gateway and telephony credentials. Prefer a cleaned release with no bundled .env/log files, rotated secrets, explicit credential declarations, opt-in transcript saving, and explicit confirmation before outbound calls.
VirusTotal engine telemetry is currently stale for this artifact.
Detected: suspicious.dangerous_exec, suspicious.exposed_secret_literal
agentProcess = spawn(process.execPath, [entryFile], {agentProcess = spawn(process.execPath, [entryFile], {TWILIO_AUTH_TOKEN=[REDACTED]
LIVEKIT_API_SECRET: "[REDACTED]",
apiKey: [REDACTED],
apiKey: [REDACTED],
return { url: c.gatewayUrl, authToken: [REDACTED] };apiKey: [REDACTED],
password: [REDACTED],
LIVEKIT_API_SECRET: "[REDACTED]",
apiKey: [REDACTED],
apiKey: [REDACTED],
return { url: c.gatewayUrl, authToken: [REDACTED] };apiKey: [REDACTED],
password: [REDACTED],