Back to plugin

Security audit

Session Compact

Security checks across malware telemetry and agentic risk

Overview

The main session-compaction behavior is coherent, but the package includes an unrelated agent settings file that grants write-capable Git commands, plus it runs shell commands for LLM summaries.

Treat this as a code plugin, not just documentation. Before installing, review or remove the unrelated .qwen permission file, ensure you trust the GitHub/package source, and be aware that auto-compaction stores and reuses conversation summaries locally.

VirusTotal

VirusTotal engine telemetry is currently stale for this artifact.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
dist/compact/engine.js:38
Evidence
const output = execSync(command, {

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
src/compact/engine.ts:64
Evidence
const output = execSync(command, {