Security audit
Cartograph
Security checks across malware telemetry and agentic risk
Overview
Cartograph appears to do what it claims—manage reusable code widgets—but users should know it depends on the separate Cartograph MCP/CLI package and may install it automatically in Claude Code.
This plugin is internally coherent: it is a Cartograph integration and its file access, CLI use, MCP server setup, cloud publishing, and proposal-management behavior all match that purpose. Before installing, decide whether you trust the Cartograph PyPI package (`cartograph-mcp` / `cartograph-cli`) and the Cartograph registry workflow, because the plugin can help publish reusable code widgets when configured to do so. Also check your Cartograph settings, especially `auto-publish`, registry, visibility, and governance, so code is not shared more broadly than you intend.
VirusTotal
No VirusTotal findings
Static analysis
No suspicious patterns detected.
