Shell command execution detected (child_process).
Critical
- Code
- suspicious.dangerous_exec
- Location
- src/daemon.ts:32
- Evidence
const proc = spawn(config.cliPath, args, {
Security audit
Security checks across malware telemetry and agentic risk
Marmot appears to be a coherent messaging-channel plugin, but it runs an external marmot-cli daemon and can accept remote Nostr messages unless allowlists are configured.
Before installing, make sure you trust the marmot-cli you build or install, use a dedicated Marmot identity, keep the daemon host on localhost unless you intentionally trust a remote daemon, and configure dmPolicy/groupPolicy allowlists so only trusted people can message your agent.
57/57 vendors flagged this plugin as clean.
Detected: suspicious.dangerous_exec
const proc = spawn(config.cliPath, args, {