Shell command execution detected (child_process).
Critical
- Code
- suspicious.dangerous_exec
- Location
- src/runner.ts:30
- Evidence
const child = spawn(command, args, {
Security audit
Security checks across malware telemetry and agentic risk
The plugin mostly matches its OpenSpec purpose, but a file-dump feature can be steered outside the intended OpenSpec change folder and the plugin gives agents a broad raw CLI passthrough.
Install only if you trust the local OpenSpec CLI and need this workflow. Before using it, pin the OpenSpec version, set `allowedRoots` to specific repositories, consider enabling `readOnly`, avoid `openspec_run` unless you approve the exact arguments, and do not use `includeFiles` on untrusted change names until the path-containment issue is fixed.
VirusTotal engine telemetry is currently stale for this artifact.
Detected: suspicious.dangerous_exec
const child = spawn(command, args, {