Shell command execution detected (child_process).
Critical
- Code
- suspicious.dangerous_exec
- Location
- dist/index.js:21
- Evidence
const proc = spawn("python3", [BRIDGE_SCRIPT, "--persistent"], {
Security audit
Security checks across malware telemetry and agentic risk
Review recommended: the package is advertised as tier-based tool routing, but the shipped extension starts a persistent Python event-bus process and stores replayable local data.
Install only if you are comfortable with this package running python3 as a persistent local bridge and creating a local event database. Verify that you actually want the event-bus behavior, set dbPath to an isolated location, avoid publishing sensitive payloads, and review the full source/provenance before enabling it.
VirusTotal engine telemetry is currently stale for this artifact.
Detected: suspicious.dangerous_exec
const proc = spawn("python3", [BRIDGE_SCRIPT, "--persistent"], {const proc = spawn("python3", [BRIDGE_SCRIPT, "--persistent"], {