Back to Dashboard
100

Bilingual (EN + AR) print-grade PDF document generation — a Claude Code skill. Proposals, tutorials, reports, formal letters, CVs + cover letters, brand profiles, inline SVG diagrams.

@jasemal/katib0153 files scannedApril 22, 2026

High risk — review the findings below

We found multiple concerning patterns in this package. Some of these might be legitimate (for example, a build tool might need to run commands), but you should review each finding below and decide if the explanations make sense for what this package claims to do.

What We Found(5 issues)

Each card explains what was found and what it means in plain English. Click "Technical details" for the full breakdown.

HIGHHIGH-002

Caution. This package can open a terminal on your computer and run any command it wants — with YOUR permissions. It could delete files, install malware, or steal your data without you seeing anything happen.

Technical details

Importing child_process gives the package ability to spawn shell commands. MCP servers should not need to execute arbitrary system commands.

require("child_process"
bin/katib.js:19
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

spawnSync(
bin/katib.js:57
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

spawnSync(
bin/katib.js:82
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

spawnSync(
bin/katib.js:115
MEDIUMMED-003

Suspicious. This package downloads code from paste sites or raw URLs instead of using normal package managers. This is a common trick to sneak in malicious code that doesn't show up in the package itself.

Technical details

Network requests to paste sites or raw GitHub content may indicate payload downloading. Legitimate dependencies use npm, not pastebins.

raw.githubusercontent
bin/katib.js:26

Finding Summary

0

Critical

4

High

1

Medium

0

Low

0

Info