Shell command execution detected (child_process).
Critical
- Code
- suspicious.dangerous_exec
- Location
- dist/index.js:3688
- Evidence
const child = spawn(command, args, {
Security audit
Security checks across malware telemetry and agentic risk
Agent Searchkit is a coherent local search tool, but its privacy wording overstates that queries stay on the machine even though it uses SearXNG to reach public search engines.
Install only if you are comfortable with your search queries going to the configured SearXNG instance and its upstream search engines. Do not search secrets, run it with minimal environment credentials, pin the Docker image if possible, and periodically clean local research-run files.
VirusTotal engine telemetry is currently stale for this artifact.
Detected: suspicious.dangerous_exec, suspicious.env_credential_access, suspicious.install_untrusted_source
const child = spawn(command, args, {const child = spawn(command, args, {env: process.env,
env: process.env,
"default": "http://127.0.0.1:8888"