Back to plugin

Security audit

@gecho-ai/gecho-bridge-bundle

Security checks across malware telemetry and agentic risk

Overview

The available artifacts look like disclosed operational tooling rather than malware, though they should be used with scoped credentials.

Install only if you intend to let the skill use the named operational services. Use least-privilege API tokens, review any setup-created config or memory paths, and confirm before running commands that create, update, delete, publish, ban, or push external changes.

VirusTotal

63/63 vendors flagged this plugin as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec, suspicious.dynamic_code_execution

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
dist/mcp-client.cjs:28993
Evidence
const matches = RELATIVE_JSON_POINTER.exec($data);

Dynamic code execution detected.

Critical
Code
suspicious.dynamic_code_execution
Location
dist/mcp-client.cjs:29142
Evidence
const makeValidate = new Function(`${names_1.default.self}`, `${names_1.default.scope}`, sourceCode);