Back to plugin

Security audit

Marmot

Security checks across malware telemetry and agentic risk

Overview

Marmot appears to be a coherent messaging-channel plugin, but it runs an external marmot-cli daemon and can accept remote Nostr messages unless allowlists are configured.

Before installing, make sure you trust the marmot-cli you build or install, use a dedicated Marmot identity, keep the daemon host on localhost unless you intentionally trust a remote daemon, and configure dmPolicy/groupPolicy allowlists so only trusted people can message your agent.

VirusTotal

57/57 vendors flagged this plugin as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
src/daemon.ts:32
Evidence
const proc = spawn(config.cliPath, args, {