Skip to content
This repository was archived by the owner on Jun 21, 2026. It is now read-only.
This repository was archived by the owner on Jun 21, 2026. It is now read-only.

No security scanning for malicious code in third-party synced plugins #62

Description

@StencilwashCoder

Several plugins in the repo contain shell scripts or executable code that is downloaded and run by users. However, there's no security scanning or code signing process to verify that synced third-party plugins don't contain malicious commands (e.g., curl | bash piped to sh, exfiltration of environment variables, or cryptocurrency miners).

Given that:

  1. Sync workflows pull code from external repos automatically
  2. Users install these plugins into their Claude Code environment
  3. Some plugins may have shell scripts with elevated permissions

There should be a security audit step in CI that flags:

  • Network calls in shell scripts (curl, wget)
  • Environment variable access ($HOME, $SSH_AUTH_SOCK)
  • Subshell execution ($(...), backticks)
  • Suspicious patterns in downloaded code

This is a supply chain security concern for a plugin marketplace.

Metadata

Metadata

Assignees

No one assigned

    Labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions