Shell command execution detected (child_process).
Critical
- Code
- suspicious.dangerous_exec
- Location
- dist/compact/engine.js:38
- Evidence
const output = execSync(command, {
Security audit
Security checks across malware telemetry and agentic risk
The main session-compaction behavior is coherent, but the package includes an unrelated agent settings file that grants write-capable Git commands, plus it runs shell commands for LLM summaries.
Treat this as a code plugin, not just documentation. Before installing, review or remove the unrelated .qwen permission file, ensure you trust the GitHub/package source, and be aware that auto-compaction stores and reuses conversation summaries locally.
VirusTotal engine telemetry is currently stale for this artifact.
Detected: suspicious.dangerous_exec
const output = execSync(command, {const output = execSync(command, {