Back to Dashboard
100

Build and run autonomous AI agents with OpenClaw, Hermes, multiple model providers, orchestration, delegation, memory, skills, schedules, and chat connectors.

@swarmclawai/swarmclaw01778 files scannedMay 11, 2026

Do not install this package

We found dangerous patterns that could harm your computer or steal your data. This package tries to access your SSH keys and credentials. Unless you are 100% sure you trust the author and have reviewed the code yourself, do not install this.

What We Found(345 issues)

Each card explains what was found and what it means in plain English. Click "Technical details" for the full breakdown.

HIGHHIGH-002

Caution. This package can open a terminal on your computer and run any command it wants — with YOUR permissions. It could delete files, install malware, or steal your data without you seeing anything happen.

Technical details

Importing child_process gives the package ability to spawn shell commands. MCP servers should not need to execute arbitrary system commands.

import { execSync } from "child_process"
next.config.ts:2
HIGHHIGH-002

Caution. This package can open a terminal on your computer and run any command it wants — with YOUR permissions. It could delete files, install malware, or steal your data without you seeing anything happen.

Technical details

Importing child_process gives the package ability to spawn shell commands. MCP servers should not need to execute arbitrary system commands.

import { spawn, type ChildProcessWithoutNullStreams } from 'child_process'
scripts/browser-e2e-smoke.ts:5
HIGHHIGH-002

Caution. This package can open a terminal on your computer and run any command it wants — with YOUR permissions. It could delete files, install malware, or steal your data without you seeing anything happen.

Technical details

Importing child_process gives the package ability to spawn shell commands. MCP servers should not need to execute arbitrary system commands.

import { spawnSync } from 'child_process'
scripts/test-openclaw-protocol.mjs:17
HIGHHIGH-002

Caution. This package can open a terminal on your computer and run any command it wants — with YOUR permissions. It could delete files, install malware, or steal your data without you seeing anything happen.

Technical details

Importing child_process gives the package ability to spawn shell commands. MCP servers should not need to execute arbitrary system commands.

import { execSync, execFileSync } from 'child_process'
src/app/api/chats/[id]/deploy/route.ts:2
HIGHHIGH-002

Caution. This package can open a terminal on your computer and run any command it wants — with YOUR permissions. It could delete files, install malware, or steal your data without you seeing anything happen.

Technical details

Importing child_process gives the package ability to spawn shell commands. MCP servers should not need to execute arbitrary system commands.

import { spawn } from 'child_process'
src/app/api/chats/[id]/devserver/route.ts:2
HIGHHIGH-002

Caution. This package can open a terminal on your computer and run any command it wants — with YOUR permissions. It could delete files, install malware, or steal your data without you seeing anything happen.

Technical details

Importing child_process gives the package ability to spawn shell commands. MCP servers should not need to execute arbitrary system commands.

import { execSync } from 'child_process'
src/app/api/dirs/pick/route.ts:2
HIGHHIGH-002

Caution. This package can open a terminal on your computer and run any command it wants — with YOUR permissions. It could delete files, install malware, or steal your data without you seeing anything happen.

Technical details

Importing child_process gives the package ability to spawn shell commands. MCP servers should not need to execute arbitrary system commands.

import { spawn } from 'child_process'
src/app/api/files/open/route.ts:2
HIGHHIGH-002

Caution. This package can open a terminal on your computer and run any command it wants — with YOUR permissions. It could delete files, install malware, or steal your data without you seeing anything happen.

Technical details

Importing child_process gives the package ability to spawn shell commands. MCP servers should not need to execute arbitrary system commands.

import { spawn, type ChildProcess } from 'child_process'
src/app/api/preview-server/route.ts:2
HIGHHIGH-002

Caution. This package can open a terminal on your computer and run any command it wants — with YOUR permissions. It could delete files, install malware, or steal your data without you seeing anything happen.

Technical details

Importing child_process gives the package ability to spawn shell commands. MCP servers should not need to execute arbitrary system commands.

import { execSync } from 'child_process'
src/app/api/version/update/route.ts:2
HIGHHIGH-002

Caution. This package can open a terminal on your computer and run any command it wants — with YOUR permissions. It could delete files, install malware, or steal your data without you seeing anything happen.

Technical details

Importing child_process gives the package ability to spawn shell commands. MCP servers should not need to execute arbitrary system commands.

import { spawn, type ChildProcess } from 'child_process'
src/lib/providers/acp-client.ts:1
HIGHHIGH-002

Caution. This package can open a terminal on your computer and run any command it wants — with YOUR permissions. It could delete files, install malware, or steal your data without you seeing anything happen.

Technical details

Importing child_process gives the package ability to spawn shell commands. MCP servers should not need to execute arbitrary system commands.

import { spawn } from 'child_process'
src/lib/providers/claude-cli.ts:4
HIGHHIGH-002

Caution. This package can open a terminal on your computer and run any command it wants — with YOUR permissions. It could delete files, install malware, or steal your data without you seeing anything happen.

Technical details

Importing child_process gives the package ability to spawn shell commands. MCP servers should not need to execute arbitrary system commands.

import { spawnSync, type ChildProcess } from 'child_process'
src/lib/providers/cli-utils.ts:12
HIGHHIGH-002

Caution. This package can open a terminal on your computer and run any command it wants — with YOUR permissions. It could delete files, install malware, or steal your data without you seeing anything happen.

Technical details

Importing child_process gives the package ability to spawn shell commands. MCP servers should not need to execute arbitrary system commands.

import { spawn } from 'child_process'
src/lib/providers/codex-cli.ts:4
HIGHHIGH-002

Caution. This package can open a terminal on your computer and run any command it wants — with YOUR permissions. It could delete files, install malware, or steal your data without you seeing anything happen.

Technical details

Importing child_process gives the package ability to spawn shell commands. MCP servers should not need to execute arbitrary system commands.

import { spawn } from 'child_process'
src/lib/providers/copilot-cli.ts:4
HIGHHIGH-002

Caution. This package can open a terminal on your computer and run any command it wants — with YOUR permissions. It could delete files, install malware, or steal your data without you seeing anything happen.

Technical details

Importing child_process gives the package ability to spawn shell commands. MCP servers should not need to execute arbitrary system commands.

import { spawn } from 'child_process'
src/lib/providers/cursor-cli.ts:1
HIGHHIGH-002

Caution. This package can open a terminal on your computer and run any command it wants — with YOUR permissions. It could delete files, install malware, or steal your data without you seeing anything happen.

Technical details

Importing child_process gives the package ability to spawn shell commands. MCP servers should not need to execute arbitrary system commands.

import { spawn } from 'child_process'
src/lib/providers/droid-cli.ts:4
HIGHHIGH-002

Caution. This package can open a terminal on your computer and run any command it wants — with YOUR permissions. It could delete files, install malware, or steal your data without you seeing anything happen.

Technical details

Importing child_process gives the package ability to spawn shell commands. MCP servers should not need to execute arbitrary system commands.

import { spawn } from 'child_process'
src/lib/providers/gemini-cli.ts:1
HIGHHIGH-002

Caution. This package can open a terminal on your computer and run any command it wants — with YOUR permissions. It could delete files, install malware, or steal your data without you seeing anything happen.

Technical details

Importing child_process gives the package ability to spawn shell commands. MCP servers should not need to execute arbitrary system commands.

import { spawn } from 'child_process'
src/lib/providers/generic-cli.ts:1
HIGHHIGH-002

Caution. This package can open a terminal on your computer and run any command it wants — with YOUR permissions. It could delete files, install malware, or steal your data without you seeing anything happen.

Technical details

Importing child_process gives the package ability to spawn shell commands. MCP servers should not need to execute arbitrary system commands.

import { spawn } from 'child_process'
src/lib/providers/goose.ts:1
HIGHHIGH-002

Caution. This package can open a terminal on your computer and run any command it wants — with YOUR permissions. It could delete files, install malware, or steal your data without you seeing anything happen.

Technical details

Importing child_process gives the package ability to spawn shell commands. MCP servers should not need to execute arbitrary system commands.

import { spawn } from 'child_process'
src/lib/providers/opencode-cli.ts:1
HIGHHIGH-002

Caution. This package can open a terminal on your computer and run any command it wants — with YOUR permissions. It could delete files, install malware, or steal your data without you seeing anything happen.

Technical details

Importing child_process gives the package ability to spawn shell commands. MCP servers should not need to execute arbitrary system commands.

import { spawn } from 'child_process'
src/lib/providers/qwen-code-cli.ts:1
HIGHHIGH-002

Caution. This package can open a terminal on your computer and run any command it wants — with YOUR permissions. It could delete files, install malware, or steal your data without you seeing anything happen.

Technical details

Importing child_process gives the package ability to spawn shell commands. MCP servers should not need to execute arbitrary system commands.

import { spawn, execSync } from 'child_process'
src/lib/server/connectors/signal.ts:2
HIGHHIGH-002

Caution. This package can open a terminal on your computer and run any command it wants — with YOUR permissions. It could delete files, install malware, or steal your data without you seeing anything happen.

Technical details

Importing child_process gives the package ability to spawn shell commands. MCP servers should not need to execute arbitrary system commands.

import type { ChildProcess } from 'child_process'
src/lib/server/connectors/signal.ts:3
HIGHHIGH-002

Caution. This package can open a terminal on your computer and run any command it wants — with YOUR permissions. It could delete files, install malware, or steal your data without you seeing anything happen.

Technical details

Importing child_process gives the package ability to spawn shell commands. MCP servers should not need to execute arbitrary system commands.

import { spawnSync } from 'child_process'
src/lib/server/connectors/whatsapp.ts:13
HIGHHIGH-002

Caution. This package can open a terminal on your computer and run any command it wants — with YOUR permissions. It could delete files, install malware, or steal your data without you seeing anything happen.

Technical details

Importing child_process gives the package ability to spawn shell commands. MCP servers should not need to execute arbitrary system commands.

import { spawnSync } from 'child_process'
src/lib/server/document-utils.ts:3
HIGHHIGH-002

Caution. This package can open a terminal on your computer and run any command it wants — with YOUR permissions. It could delete files, install malware, or steal your data without you seeing anything happen.

Technical details

Importing child_process gives the package ability to spawn shell commands. MCP servers should not need to execute arbitrary system commands.

import { spawn } from 'child_process'
src/lib/server/extensions.ts:5
HIGHHIGH-002

Caution. This package can open a terminal on your computer and run any command it wants — with YOUR permissions. It could delete files, install malware, or steal your data without you seeing anything happen.

Technical details

Importing child_process gives the package ability to spawn shell commands. MCP servers should not need to execute arbitrary system commands.

import { execFile } from 'child_process'
src/lib/server/openclaw/doctor.ts:1
HIGHHIGH-002

Caution. This package can open a terminal on your computer and run any command it wants — with YOUR permissions. It could delete files, install malware, or steal your data without you seeing anything happen.

Technical details

Importing child_process gives the package ability to spawn shell commands. MCP servers should not need to execute arbitrary system commands.

import { spawn } from 'child_process'
src/lib/server/playwright-proxy.mjs:7
HIGHHIGH-002

Caution. This package can open a terminal on your computer and run any command it wants — with YOUR permissions. It could delete files, install malware, or steal your data without you seeing anything happen.

Technical details

Importing child_process gives the package ability to spawn shell commands. MCP servers should not need to execute arbitrary system commands.

import { spawnSync } from 'child_process'
src/lib/server/provider-health.ts:1
HIGHHIGH-002

Caution. This package can open a terminal on your computer and run any command it wants — with YOUR permissions. It could delete files, install malware, or steal your data without you seeing anything happen.

Technical details

Importing child_process gives the package ability to spawn shell commands. MCP servers should not need to execute arbitrary system commands.

import { spawn, type ChildProcessWithoutNullStreams } from 'child_process'
src/lib/server/runtime/process-manager.ts:3
HIGHHIGH-002

Caution. This package can open a terminal on your computer and run any command it wants — with YOUR permissions. It could delete files, install malware, or steal your data without you seeing anything happen.

Technical details

Importing child_process gives the package ability to spawn shell commands. MCP servers should not need to execute arbitrary system commands.

import('child_process'
src/lib/server/runtime/process-manager.ts:488
HIGHHIGH-002

Caution. This package can open a terminal on your computer and run any command it wants — with YOUR permissions. It could delete files, install malware, or steal your data without you seeing anything happen.

Technical details

Importing child_process gives the package ability to spawn shell commands. MCP servers should not need to execute arbitrary system commands.

require('child_process'
src/lib/server/session-tools/context.ts:192
HIGHHIGH-002

Caution. This package can open a terminal on your computer and run any command it wants — with YOUR permissions. It could delete files, install malware, or steal your data without you seeing anything happen.

Technical details

Importing child_process gives the package ability to spawn shell commands. MCP servers should not need to execute arbitrary system commands.

import { spawn, type ChildProcess } from 'child_process'
src/lib/server/session-tools/delegate.ts:3
HIGHHIGH-002

Caution. This package can open a terminal on your computer and run any command it wants — with YOUR permissions. It could delete files, install malware, or steal your data without you seeing anything happen.

Technical details

Importing child_process gives the package ability to spawn shell commands. MCP servers should not need to execute arbitrary system commands.

import { spawn, type ChildProcess } from 'child_process'
src/lib/server/session-tools/execute.ts:15
HIGHHIGH-002

Caution. This package can open a terminal on your computer and run any command it wants — with YOUR permissions. It could delete files, install malware, or steal your data without you seeing anything happen.

Technical details

Importing child_process gives the package ability to spawn shell commands. MCP servers should not need to execute arbitrary system commands.

import { execFile } from 'child_process'
src/lib/server/session-tools/openclaw-workspace.ts:4
HIGHHIGH-002

Caution. This package can open a terminal on your computer and run any command it wants — with YOUR permissions. It could delete files, install malware, or steal your data without you seeing anything happen.

Technical details

Importing child_process gives the package ability to spawn shell commands. MCP servers should not need to execute arbitrary system commands.

import { spawnSync } from 'child_process'
src/lib/server/session-tools/web.ts:8
HIGHHIGH-002

Caution. This package can open a terminal on your computer and run any command it wants — with YOUR permissions. It could delete files, install malware, or steal your data without you seeing anything happen.

Technical details

Importing child_process gives the package ability to spawn shell commands. MCP servers should not need to execute arbitrary system commands.

import { execSync } from 'child_process'
src/lib/server/skills/skill-eligibility.ts:1
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

spawn(
bin/daemon-cmd.js:102
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

spawn(
bin/daemon-cmd.js:116
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

spawn(
bin/server-cmd.js:401
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

spawn(
bin/server-cmd.js:425
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

spawnSync(
bin/swarmclaw.js:108
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

spawnSync(
bin/swarmclaw.js:180
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

execSync(
bin/update-cmd.js:30
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

spawn(
bin/worker-cmd.js:61
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

spawn(
electron/server-lifecycle.ts:51
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

execSync(
next.config.ts:47
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

spawn(
scripts/browser-e2e-smoke.ts:171
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

spawnSync(
scripts/build-electron.mjs:29
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

spawnSync(
scripts/easy-setup.mjs:26
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

spawnSync(
scripts/easy-setup.mjs:41
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

spawnSync(
scripts/easy-setup.mjs:66
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

spawnSync(
scripts/easy-setup.mjs:75
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

spawnSync(
scripts/easy-update.mjs:24
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

spawnSync(
scripts/easy-update.mjs:41
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

spawnSync(
scripts/easy-update.mjs:54
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

spawnSync(
scripts/ensure-sandbox-browser-image.mjs:26
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

spawnSync(
scripts/ensure-sandbox-browser-image.mjs:67
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

spawnSync(
scripts/ensure-sandbox-browser-image.test.mjs:43
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

spawnSync(
scripts/gen-icons.mjs:24
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

spawnSync(
scripts/gen-icons.mjs:32
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

spawnSync(
scripts/postinstall.mjs:33
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

spawnSync(
scripts/postinstall.mjs:63
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

spawnSync(
scripts/postinstall.mjs:78
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

spawnSync(
scripts/postinstall.test.mjs:30
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

spawnSync(
scripts/run-next-build.mjs:294
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

spawnSync(
scripts/run-next-typegen.mjs:39
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

spawnSync(
scripts/test-openclaw-protocol.mjs:274
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

spawnSync(
scripts/test-openclaw-protocol.mjs:283
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

spawnSync(
scripts/test-openclaw-protocol.mjs:287
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

spawnSync(
scripts/test-openclaw-protocol.mjs:294
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

spawnSync(
src/app/api/approvals/route.test.ts:13
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

execSync(
src/app/api/chats/[id]/deploy/route.ts:21
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

execSync(
src/app/api/chats/[id]/deploy/route.ts:30
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

spawn(
src/app/api/chats/[id]/devserver/route.ts:44
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

spawnSync(
src/app/api/clawhub/install/route.test.ts:13
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

execSync(
src/app/api/dirs/pick/route.ts:11
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

execSync(
src/app/api/dirs/pick/route.ts:26
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

execSync(
src/app/api/dirs/pick/route.ts:36
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

execSync(
src/app/api/dirs/pick/route.ts:41
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

spawn(
src/app/api/files/open/route.ts:39
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

spawn(
src/app/api/preview-server/route.ts:189
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

spawn(
src/app/api/preview-server/route.ts:206
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

spawnSync(
src/app/api/setup/doctor/route.ts:31
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

execSync(
src/app/api/version/update/route.ts:9
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

spawnSync(
src/app/api/wallets/route.test.ts:13
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

spawnSync(
src/cli/binary.test.js:17
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

exec(
src/cli/index.js:1358
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

exec(
src/cli/index.js:1365
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

spawn(
src/lib/providers/acp-client.ts:42
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

spawn(
src/lib/providers/claude-cli.ts:76
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

spawnSync(
src/lib/providers/cli-utils.ts:202
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

spawnSync(
src/lib/providers/cli-utils.ts:223
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

spawnSync(
src/lib/providers/cli-utils.ts:254
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

spawnSync(
src/lib/providers/cli-utils.ts:285
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

spawnSync(
src/lib/providers/cli-utils.ts:330
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

spawn(
src/lib/providers/codex-cli.ts:148
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

spawn(
src/lib/providers/copilot-cli.ts:116
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

spawn(
src/lib/providers/cursor-cli.ts:73
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

spawn(
src/lib/providers/droid-cli.ts:67
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

spawn(
src/lib/providers/gemini-cli.ts:58
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

spawn(
src/lib/providers/generic-cli.ts:49
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

spawn(
src/lib/providers/goose.ts:72
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

spawn(
src/lib/providers/opencode-cli.ts:62
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

spawn(
src/lib/providers/qwen-code-cli.ts:67
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

spawnSync(
src/lib/server/agents/agent-thread-session.test.ts:13
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

execSync(
src/lib/server/agents/guardian.ts:25
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

spawnSync(
src/lib/server/agents/main-agent-loop-advanced.test.ts:15
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

spawnSync(
src/lib/server/agents/main-agent-loop.test.ts:13
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

spawnSync(
src/lib/server/autonomy/supervisor-reflection.test.ts:16
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

spawnSync(
src/lib/server/autonomy-runtime.test.ts:13
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

exec(
src/lib/server/chat-execution/chat-execution-utils.ts:466
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

exec(
src/lib/server/chatrooms/chatroom-helpers.ts:106
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

exec(
src/lib/server/chatrooms/chatroom-helpers.ts:126
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

spawnSync(
src/lib/server/chatrooms/chatroom-session-persistence.test.ts:13
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

exec(
src/lib/server/connectors/openclaw.ts:355
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

spawn(
src/lib/server/connectors/signal.ts:26
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

execSync(
src/lib/server/connectors/signal.ts:107
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

execSync(
src/lib/server/connectors/signal.ts:178
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

spawnSync(
src/lib/server/connectors/swarmdock-secret.test.ts:13
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

spawnSync(
src/lib/server/connectors/whatsapp.ts:173
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

spawnSync(
src/lib/server/connectors/whatsapp.ts:197
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

spawn(
src/lib/server/daemon/controller.ts:412
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

spawnSync(
src/lib/server/data-dir.test.ts:30
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

spawnSync(
src/lib/server/data-dir.test.ts:67
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

spawnSync(
src/lib/server/data-dir.test.ts:105
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

spawnSync(
src/lib/server/document-utils.ts:157
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

spawnSync(
src/lib/server/document-utils.ts:183
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

spawnSync(
src/lib/server/document-utils.ts:199
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

spawnSync(
src/lib/server/document-utils.ts:213
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

exec(
src/lib/server/eval/store.ts:14
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

exec(
src/lib/server/eval/store.ts:18
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

exec(
src/lib/server/eval/store.ts:26
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

exec(
src/lib/server/execution-log.ts:74
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

exec(
src/lib/server/execution-log.ts:86
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

exec(
src/lib/server/execution-log.ts:87
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

exec(
src/lib/server/execution-log.ts:88
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

exec(
src/lib/server/execution-log.ts:89
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

spawn(
src/lib/server/extensions.ts:834
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

exec(
src/lib/server/knowledge-db.test.ts:29
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

exec(
src/lib/server/knowledge-db.test.ts:48
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

exec(
src/lib/server/knowledge-db.test.ts:55
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

exec(
src/lib/server/knowledge-db.test.ts:61
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

exec(
src/lib/server/knowledge-db.test.ts:67
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

exec(
src/lib/server/knowledge-db.test.ts:75
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

exec(
src/lib/server/knowledge-db.test.ts:76
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

exec(
src/lib/server/langgraph-checkpoint.ts:36
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

exec(
src/lib/server/langgraph-checkpoint.ts:49
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

exec(
src/lib/server/langgraph-checkpoint.ts:64
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

exec(
src/lib/server/memory/memory-db.ts:525
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

exec(
src/lib/server/memory/memory-db.ts:557
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

exec(
src/lib/server/memory/memory-db.ts:561
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

exec(
src/lib/server/memory/memory-db.ts:564
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

exec(
src/lib/server/memory/memory-db.ts:567
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

exec(
src/lib/server/memory/memory-db.ts:576
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

exec(
src/lib/server/memory/memory-db.ts:585
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

exec(
src/lib/server/memory/memory-db.ts:588
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

exec(
src/lib/server/memory/memory-db.ts:591
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

exec(
src/lib/server/memory/memory-db.ts:594
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

exec(
src/lib/server/memory/memory-db.ts:600
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

spawn(
src/lib/server/playwright-proxy.mjs:33
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

spawn(
src/lib/server/playwright-proxy.mjs:38
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

spawnSync(
src/lib/server/provider-health.ts:50
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

spawnSync(
src/lib/server/provider-health.ts:51
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

spawnSync(
src/lib/server/provider-health.ts:140
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

spawnSync(
src/lib/server/provider-health.ts:152
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

spawnSync(
src/lib/server/provider-health.ts:156
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

exec(
src/lib/server/run-context.ts:200
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

exec(
src/lib/server/run-context.ts:204
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

exec(
src/lib/server/run-context.ts:213
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

spawnSync(
src/lib/server/runtime/heartbeat-service-timer.test.ts:13
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

spawn(
src/lib/server/runtime/process-manager.ts:132
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

spawn(
src/lib/server/runtime/process-manager.ts:258
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

execSync(
src/lib/server/runtime/process-manager.ts:489
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

spawnSync(
src/lib/server/runtime/queue-reconcile.test.ts:13
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

spawnSync(
src/lib/server/runtime/queue-recovery.test.ts:13
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

spawnSync(
src/lib/server/runtime/queue-retry-policy.test.ts:13
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

spawnSync(
src/lib/server/runtime/runtime-settings.test.ts:13
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

spawnSync(
src/lib/server/runtime/scheduler.test.ts:18
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

spawnSync(
src/lib/server/sandbox/docker-detect.ts:20
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

spawn(
src/lib/server/sandbox/docker.ts:15
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

spawnSync(
src/lib/server/session-tools/context.ts:194
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

spawnSync(
src/lib/server/session-tools/context.ts:195
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

spawnSync(
src/lib/server/session-tools/delegate-fallback.test.ts:42
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

spawn(
src/lib/server/session-tools/delegate.ts:759
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

spawn(
src/lib/server/session-tools/delegate.ts:840
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

spawn(
src/lib/server/session-tools/delegate.ts:924
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

spawn(
src/lib/server/session-tools/delegate.ts:1010
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

spawn(
src/lib/server/session-tools/delegate.ts:1094
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

spawn(
src/lib/server/session-tools/delegate.ts:1179
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

spawn(
src/lib/server/session-tools/delegate.ts:1265
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

spawn(
src/lib/server/session-tools/delegate.ts:1348
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

spawnSync(
src/lib/server/session-tools/discovery-approvals.test.ts:13
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

spawnSync(
src/lib/server/session-tools/execute.test.ts:14
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

exec(
src/lib/server/session-tools/execute.ts:113
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

spawn(
src/lib/server/session-tools/execute.ts:162
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

spawn(
src/lib/server/session-tools/google-workspace.ts:218
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

spawnSync(
src/lib/server/session-tools/manage-connectors.test.ts:13
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

spawnSync(
src/lib/server/session-tools/manage-schedules.test.ts:13
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

spawnSync(
src/lib/server/session-tools/manage-tasks-advanced.test.ts:13
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

spawnSync(
src/lib/server/session-tools/manage-tasks.test.ts:13
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

exec(
src/lib/server/session-tools/memory.test.ts:22
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

spawnSync(
src/lib/server/session-tools/subagent.test.ts:15
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

spawnSync(
src/lib/server/session-tools/swarmdock.test.ts:13
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

spawnSync(
src/lib/server/session-tools/web.ts:1876
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

exec(
src/lib/server/skills/skill-audit.ts:34
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

execSync(
src/lib/server/skills/skill-eligibility.ts:25
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

exec(
src/lib/server/skills/skills-normalize.ts:381
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

spawnSync(
src/lib/server/storage-item-access.test.ts:13
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

spawnSync(
src/lib/server/storage-item-access.test.ts:315
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

exec(
src/lib/server/storage-mcp.test.ts:62
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

exec(
src/lib/server/storage-mcp.test.ts:97
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

exec(
src/lib/server/storage-mcp.test.ts:143
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

exec(
src/lib/server/storage-mcp.test.ts:159
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

exec(
src/lib/server/storage.ts:191
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

exec(
src/lib/server/storage.ts:195
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

exec(
src/lib/server/storage.ts:198
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

exec(
src/lib/server/storage.ts:199
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

exec(
src/lib/server/storage.ts:202
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

exec(
src/lib/server/storage.ts:203
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

exec(
src/lib/server/storage.ts:204
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

exec(
src/lib/server/storage.ts:205
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

exec(
src/lib/server/storage.ts:206
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

exec(
src/lib/server/storage.ts:214
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

exec(
src/lib/server/tasks/task-mention.ts:48
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

exec(
src/lib/server/tasks/task-mention.ts:69
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

spawnSync(
src/lib/server/test-utils/run-with-temp-data-dir.ts:33
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

spawnSync(
src/lib/server/working-state/service.test.ts:13
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

exec(
src/lib/tts-stream.ts:23
HIGHHIGH-004

DO NOT INSTALL. This package tries to read your SSH keys — the same keys that unlock your servers, your GitHub account, and your deployments. No Claude skill should ever need to touch these files. This looks like credential theft.

Technical details

Accessing SSH keys or known_hosts is a strong indicator of credential theft. No legitimate MCP server needs access to SSH configuration.

.ssh/
src/lib/server/session-tools/index.ts:204
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.SWARMCLAW_ACCESS_KEY
scripts/benchmark-autonomy-harness.mjs:262
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.SWARMCLAW_ACCESS_KEY
scripts/benchmark-autonomy-harness.mjs:262
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.ACCESS_KEY
scripts/browser-e2e-smoke.ts:81
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.CREDENTIAL_SECRET
scripts/browser-e2e-smoke.ts:163
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.SWARMCLAW_ACCESS_KEY
scripts/demo-platform-test.mjs:15
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.ACCESS_KEY
src/app/api/setup/doctor/route.ts:131
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.CREDENTIAL_SECRET
src/app/api/setup/doctor/route.ts:139
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.GITHUB_TOKEN
src/app/api/tasks/import/github/route.ts:28
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.GH_TOKEN
src/app/api/tasks/import/github/route.ts:29
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.GITHUB_PERSONAL_ACCESS_TOKEN
src/app/api/tasks/import/github/route.ts:30
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.ELEVENLABS_API_KEY
src/app/api/tts/route.test.ts:97
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.SWARMCLAW_ACCESS_KEY
src/cli/index.ts:41
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.SWARMCLAW_API_KEY
src/cli/index.ts:42
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.SC_ACCESS_KEY
src/cli/index.ts:43
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.GEMINI_API_KEY
src/lib/providers/cli-utils.ts:269
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.GOOGLE_API_KEY
src/lib/providers/cli-utils.ts:269
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.GH_TOKEN
src/lib/providers/cli-utils.ts:280
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.GITHUB_TOKEN
src/lib/providers/cli-utils.ts:280
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.COPILOT_GITHUB_TOKEN
src/lib/providers/cli-utils.ts:280
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.FACTORY_API_KEY
src/lib/providers/cli-utils.ts:310
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.ACCESS_KEY
src/lib/server/artifacts/artifact-resolver.test.ts:12
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.CREDENTIAL_SECRET
src/lib/server/artifacts/artifact-resolver.test.ts:13
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.CREDENTIAL_SECRET
src/lib/server/build-llm.test.ts:12
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.CREDENTIAL_SECRET
src/lib/server/build-llm.test.ts:30
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.CREDENTIAL_SECRET
src/lib/server/build-llm.test.ts:58
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.CREDENTIAL_SECRET
src/lib/server/build-llm.test.ts:59
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.SWARMCLAW_OPENAI_STT_API_KEY
src/lib/server/connectors/inbound-audio-transcription.ts:91
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.OPENAI_API_KEY
src/lib/server/connectors/inbound-audio-transcription.ts:91
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.ELEVENLABS_API_KEY
src/lib/server/connectors/inbound-audio-transcription.ts:110
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.SWARMCLAW_DAEMON_ADMIN_TOKEN
src/lib/server/daemon/daemon-runtime.ts:53
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.ELEVENLABS_API_KEY
src/lib/server/elevenlabs.test.ts:9
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.ELEVENLABS_API_KEY
src/lib/server/elevenlabs.test.ts:18
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.ELEVENLABS_API_KEY
src/lib/server/elevenlabs.test.ts:42
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.ELEVENLABS_API_KEY
src/lib/server/elevenlabs.test.ts:43
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.ELEVENLABS_API_KEY
src/lib/server/elevenlabs.test.ts:52
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.ELEVENLABS_API_KEY
src/lib/server/elevenlabs.test.ts:59
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.ELEVENLABS_API_KEY
src/lib/server/elevenlabs.test.ts:78
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.ELEVENLABS_API_KEY
src/lib/server/elevenlabs.test.ts:79
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.ELEVENLABS_API_KEY
src/lib/server/elevenlabs.test.ts:88
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.ELEVENLABS_API_KEY
src/lib/server/elevenlabs.test.ts:95
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.ELEVENLABS_API_KEY
src/lib/server/elevenlabs.test.ts:122
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.ELEVENLABS_API_KEY
src/lib/server/elevenlabs.test.ts:123
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.ELEVENLABS_API_KEY
src/lib/server/elevenlabs.test.ts:132
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.ELEVENLABS_API_KEY
src/lib/server/elevenlabs.test.ts:139
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.ELEVENLABS_API_KEY
src/lib/server/elevenlabs.test.ts:166
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.ELEVENLABS_API_KEY
src/lib/server/elevenlabs.test.ts:167
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.ELEVENLABS_API_KEY
src/lib/server/elevenlabs.test.ts:177
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.ELEVENLABS_API_KEY
src/lib/server/elevenlabs.test.ts:196
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.ELEVENLABS_API_KEY
src/lib/server/elevenlabs.test.ts:221
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.ELEVENLABS_API_KEY
src/lib/server/elevenlabs.test.ts:222
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.ELEVENLABS_API_KEY
src/lib/server/elevenlabs.test.ts:231
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.ELEVENLABS_API_KEY
src/lib/server/elevenlabs.test.ts:238
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.ELEVENLABS_API_KEY
src/lib/server/elevenlabs.test.ts:255
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.ELEVENLABS_API_KEY
src/lib/server/elevenlabs.test.ts:256
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.ELEVENLABS_API_KEY
src/lib/server/elevenlabs.test.ts:265
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.ELEVENLABS_API_KEY
src/lib/server/elevenlabs.test.ts:272
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.ELEVENLABS_API_KEY
src/lib/server/elevenlabs.test.ts:300
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.ELEVENLABS_API_KEY
src/lib/server/elevenlabs.test.ts:301
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.ELEVENLABS_API_KEY
src/lib/server/elevenlabs.ts:43
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.OLLAMA_API_KEY
src/lib/server/openclaw/deploy.ts:429
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.ACCESS_KEY
src/lib/server/session-tools/chatroom.ts:261
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.EXA_API_KEY
src/lib/server/session-tools/search-providers.test.ts:5
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.EXA_API_KEY
src/lib/server/session-tools/search-providers.test.ts:8
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.EXA_API_KEY
src/lib/server/session-tools/search-providers.test.ts:9
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.EXA_API_KEY
src/lib/server/session-tools/search-providers.test.ts:13
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.EXA_API_KEY
src/lib/server/session-tools/search-providers.test.ts:25
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.EXA_API_KEY
src/lib/server/session-tools/search-providers.test.ts:33
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.EXA_API_KEY
src/lib/server/session-tools/search-providers.test.ts:84
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.EXA_API_KEY
src/lib/server/session-tools/search-providers.test.ts:102
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.EXA_API_KEY
src/lib/server/session-tools/search-providers.test.ts:117
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.EXA_API_KEY
src/lib/server/session-tools/search-providers.test.ts:138
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.EXA_API_KEY
src/lib/server/session-tools/search-providers.test.ts:153
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.EXA_API_KEY
src/lib/server/session-tools/search-providers.ts:343
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.ACCESS_KEY
src/lib/server/sharing/share-link-repository.test.ts:10
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.CREDENTIAL_SECRET
src/lib/server/sharing/share-link-repository.test.ts:11
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.ACCESS_KEY
src/lib/server/sharing/share-link-repository.test.ts:61
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.CREDENTIAL_SECRET
src/lib/server/sharing/share-link-repository.test.ts:62
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.GITHUB_TOKEN
src/lib/server/skills/skills-normalize.test.ts:52
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.OPENAI_API_KEY
src/lib/server/skills/skills-normalize.test.ts:52
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.CREDENTIAL_SECRET
src/lib/server/storage-auth.ts:63
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.CREDENTIAL_SECRET
src/lib/server/storage-auth.ts:65
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.ACCESS_KEY
src/lib/server/storage-auth.ts:72
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.ACCESS_KEY
src/lib/server/storage-auth.ts:74
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.ACCESS_KEY
src/lib/server/storage-auth.ts:81
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.ACCESS_KEY
src/lib/server/storage-auth.ts:85
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.ACCESS_KEY
src/lib/server/storage-auth.ts:113
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.CREDENTIAL_SECRET
src/lib/server/storage.ts:892
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.ACCESS_KEY
src/proxy.test.ts:8
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.ACCESS_KEY
src/proxy.test.ts:11
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.ACCESS_KEY
src/proxy.test.ts:12
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.ACCESS_KEY
src/proxy.test.ts:17
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.ACCESS_KEY
src/proxy.test.ts:33
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.ACCESS_KEY
src/proxy.test.ts:47
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.ACCESS_KEY
src/proxy.ts:107
MEDIUMMED-003

Suspicious. This package downloads code from paste sites or raw URLs instead of using normal package managers. This is a common trick to sneak in malicious code that doesn't show up in the package itself.

Technical details

Network requests to paste sites or raw GitHub content may indicate payload downloading. Legitimate dependencies use npm, not pastebins.

raw.githubusercontent
src/app/api/extensions/marketplace/route.ts:26
MEDIUMMED-003

Suspicious. This package downloads code from paste sites or raw URLs instead of using normal package managers. This is a common trick to sneak in malicious code that doesn't show up in the package itself.

Technical details

Network requests to paste sites or raw GitHub content may indicate payload downloading. Legitimate dependencies use npm, not pastebins.

raw.githubusercontent
src/lib/extension-sources.ts:51
MEDIUMMED-003

Suspicious. This package downloads code from paste sites or raw URLs instead of using normal package managers. This is a common trick to sneak in malicious code that doesn't show up in the package itself.

Technical details

Network requests to paste sites or raw GitHub content may indicate payload downloading. Legitimate dependencies use npm, not pastebins.

raw.githubusercontent
src/lib/plugin-sources.test.ts:24
MEDIUMMED-003

Suspicious. This package downloads code from paste sites or raw URLs instead of using normal package managers. This is a common trick to sneak in malicious code that doesn't show up in the package itself.

Technical details

Network requests to paste sites or raw GitHub content may indicate payload downloading. Legitimate dependencies use npm, not pastebins.

raw.githubusercontent
src/lib/server/extensions.test.ts:58
MEDIUMMED-003

Suspicious. This package downloads code from paste sites or raw URLs instead of using normal package managers. This is a common trick to sneak in malicious code that doesn't show up in the package itself.

Technical details

Network requests to paste sites or raw GitHub content may indicate payload downloading. Legitimate dependencies use npm, not pastebins.

raw.githubusercontent
src/lib/server/extensions.ts:329
MEDIUMMED-003

Suspicious. This package downloads code from paste sites or raw URLs instead of using normal package managers. This is a common trick to sneak in malicious code that doesn't show up in the package itself.

Technical details

Network requests to paste sites or raw GitHub content may indicate payload downloading. Legitimate dependencies use npm, not pastebins.

raw.githubusercontent
src/lib/server/session-tools/discovery.ts:115
MEDIUMMED-004

Suspicious. This package loads code from an unknown location decided at runtime. We can't tell what it will actually run because it depends on a variable. This makes it harder to verify the package is safe.

Technical details

Dynamic require/import with variable arguments loads code determined at runtime. This can be used to load payloads that static analysis can't detect.

import(c
bin/swarmclaw.js:222
MEDIUMMED-004

Suspicious. This package loads code from an unknown location decided at runtime. We can't tell what it will actually run because it depends on a variable. This makes it harder to verify the package is safe.

Technical details

Dynamic require/import with variable arguments loads code determined at runtime. This can be used to load payloads that static analysis can't detect.

require(p
scripts/electron-after-pack.test.mjs:14
MEDIUMMED-004

Suspicious. This package loads code from an unknown location decided at runtime. We can't tell what it will actually run because it depends on a variable. This makes it harder to verify the package is safe.

Technical details

Dynamic require/import with variable arguments loads code determined at runtime. This can be used to load payloads that static analysis can't detect.

require(m
src/cli/server-cmd.test.js:15
MEDIUMMED-004

Suspicious. This package loads code from an unknown location decided at runtime. We can't tell what it will actually run because it depends on a variable. This makes it harder to verify the package is safe.

Technical details

Dynamic require/import with variable arguments loads code determined at runtime. This can be used to load payloads that static analysis can't detect.

import(/
src/lib/providers/openai.ts:32
MEDIUMMED-004

Suspicious. This package loads code from an unknown location decided at runtime. We can't tell what it will actually run because it depends on a variable. This makes it harder to verify the package is safe.

Technical details

Dynamic require/import with variable arguments loads code determined at runtime. This can be used to load payloads that static analysis can't detect.

import(
src/lib/server/chat-execution/prompt-sections.ts:347
MEDIUMMED-004

Suspicious. This package loads code from an unknown location decided at runtime. We can't tell what it will actually run because it depends on a variable. This makes it harder to verify the package is safe.

Technical details

Dynamic require/import with variable arguments loads code determined at runtime. This can be used to load payloads that static analysis can't detect.

import(/
src/lib/server/chat-execution/stream-agent-chat.ts:591
MEDIUMMED-004

Suspicious. This package loads code from an unknown location decided at runtime. We can't tell what it will actually run because it depends on a variable. This makes it harder to verify the package is safe.

Technical details

Dynamic require/import with variable arguments loads code determined at runtime. This can be used to load payloads that static analysis can't detect.

import(/
src/lib/server/connectors/googlechat.ts:10
MEDIUMMED-004

Suspicious. This package loads code from an unknown location decided at runtime. We can't tell what it will actually run because it depends on a variable. This makes it harder to verify the package is safe.

Technical details

Dynamic require/import with variable arguments loads code determined at runtime. This can be used to load payloads that static analysis can't detect.

import(/
src/lib/server/connectors/matrix.ts:14
MEDIUMMED-004

Suspicious. This package loads code from an unknown location decided at runtime. We can't tell what it will actually run because it depends on a variable. This makes it harder to verify the package is safe.

Technical details

Dynamic require/import with variable arguments loads code determined at runtime. This can be used to load payloads that static analysis can't detect.

import(/
src/lib/server/connectors/teams.ts:11
MEDIUMMED-004

Suspicious. This package loads code from an unknown location decided at runtime. We can't tell what it will actually run because it depends on a variable. This makes it harder to verify the package is safe.

Technical details

Dynamic require/import with variable arguments loads code determined at runtime. This can be used to load payloads that static analysis can't detect.

import(/
src/lib/server/document-utils.ts:171
MEDIUMMED-004

Suspicious. This package loads code from an unknown location decided at runtime. We can't tell what it will actually run because it depends on a variable. This makes it harder to verify the package is safe.

Technical details

Dynamic require/import with variable arguments loads code determined at runtime. This can be used to load payloads that static analysis can't detect.

require($
src/lib/server/extensions.ts:809
MEDIUMMED-004

Suspicious. This package loads code from an unknown location decided at runtime. We can't tell what it will actually run because it depends on a variable. This makes it harder to verify the package is safe.

Technical details

Dynamic require/import with variable arguments loads code determined at runtime. This can be used to load payloads that static analysis can't detect.

import(
src/lib/server/mcp-client.ts:74
MEDIUMMED-004

Suspicious. This package loads code from an unknown location decided at runtime. We can't tell what it will actually run because it depends on a variable. This makes it harder to verify the package is safe.

Technical details

Dynamic require/import with variable arguments loads code determined at runtime. This can be used to load payloads that static analysis can't detect.

import(
src/lib/server/mcp-client.ts:84
MEDIUMMED-004

Suspicious. This package loads code from an unknown location decided at runtime. We can't tell what it will actually run because it depends on a variable. This makes it harder to verify the package is safe.

Technical details

Dynamic require/import with variable arguments loads code determined at runtime. This can be used to load payloads that static analysis can't detect.

import(
src/lib/server/mcp-client.ts:93
MEDIUMMED-004

Suspicious. This package loads code from an unknown location decided at runtime. We can't tell what it will actually run because it depends on a variable. This makes it harder to verify the package is safe.

Technical details

Dynamic require/import with variable arguments loads code determined at runtime. This can be used to load payloads that static analysis can't detect.

import(/
src/lib/server/session-tools/web.ts:256

Finding Summary

0

Critical

324

High

21

Medium

0

Low

0

Info