Skillv1.0.1

Static analysis security

Alcor Capability Evolver · Deterministic local checks for risky code patterns and metadata mismatches.

Scanner verdict

SuspiciousApr 30, 2026, 5:41 AM

Summary: Detected: suspicious.dangerous_exec, suspicious.env_credential_access, suspicious.potential_exfiltration
Reason codes: suspicious.dangerous_execsuspicious.env_credential_accesssuspicious.potential_exfiltration
Engine: v2.4.5

Evidence

criticalindex.js:33

Shell command execution detected (child_process).

suspicious.dangerous_exec

criticalscripts/build_public.js:170

Shell command execution detected (child_process).

suspicious.dangerous_exec

criticalscripts/generate_history.js:17

Shell command execution detected (child_process).

suspicious.dangerous_exec

criticalscripts/publish_public.js:13

Shell command execution detected (child_process).

suspicious.dangerous_exec

criticalscripts/recover_loop.js:19

Shell command execution detected (child_process).

suspicious.dangerous_exec

criticalscripts/suggest_version.js:27

Shell command execution detected (child_process).

suspicious.dangerous_exec

criticalsrc/evolve.js:281

Shell command execution detected (child_process).

suspicious.dangerous_exec

criticalsrc/gep/llmReview.js:70

Shell command execution detected (child_process).

suspicious.dangerous_exec

criticalsrc/gep/solidify.js:66

Shell command execution detected (child_process).

suspicious.dangerous_exec

criticalsrc/ops/health_check.js:20

Shell command execution detected (child_process).

suspicious.dangerous_exec

criticalsrc/ops/lifecycle.js:27

Shell command execution detected (child_process).

suspicious.dangerous_exec

criticalsrc/ops/self_repair.js:17

Shell command execution detected (child_process).

suspicious.dangerous_exec

criticalsrc/ops/skills_monitor.js:96

Shell command execution detected (child_process).

suspicious.dangerous_exec

criticalscripts/publish_public.js:248

Environment variable access combined with network send.

suspicious.env_credential_access

criticalsrc/evolve.js:56

Environment variable access combined with network send.

suspicious.env_credential_access

criticalsrc/gep/a2aProtocol.js:75

Environment variable access combined with network send.

suspicious.env_credential_access

criticalsrc/gep/hubReview.js:104

Environment variable access combined with network send.

suspicious.env_credential_access

criticalsrc/gep/hubSearch.js:19

Environment variable access combined with network send.

suspicious.env_credential_access

criticalsrc/gep/issueReporter.js:21

Environment variable access combined with network send.

suspicious.env_credential_access

criticalsrc/gep/memoryGraphAdapter.js:77

Environment variable access combined with network send.

suspicious.env_credential_access

criticalsrc/gep/skillDistiller.js:8

Environment variable access combined with network send.

suspicious.env_credential_access

criticalsrc/gep/taskReceiver.js:11

Environment variable access combined with network send.

suspicious.env_credential_access

criticalsrc/ops/self_repair.js:45

Environment variable access combined with network send.

suspicious.env_credential_access

warnscripts/publish_public.js:254

File read combined with network send (possible exfiltration).

suspicious.potential_exfiltration

warnsrc/evolve.js:371

File read combined with network send (possible exfiltration).

suspicious.potential_exfiltration

warnsrc/gep/a2aProtocol.js:41

File read combined with network send (possible exfiltration).

suspicious.potential_exfiltration

warnsrc/gep/hubReview.js:24

File read combined with network send (possible exfiltration).

suspicious.potential_exfiltration

warnsrc/gep/issueReporter.js:42

File read combined with network send (possible exfiltration).

suspicious.potential_exfiltration

warnsrc/gep/questionGenerator.js:20

File read combined with network send (possible exfiltration).

suspicious.potential_exfiltration

warnsrc/gep/skillDistiller.js:21

File read combined with network send (possible exfiltration).

suspicious.potential_exfiltration