Is lodash safe?
- Node.js shell/command execution
- Node.js filesystem write/delete
lodash is an AI npm_package analyzed by SkillTotal's deterministic static scanner. The scan found no malicious indicators, though 2 risky constructs are reported for review. It can: filesystem write and shell execution — capabilities are what the code can do, not a verdict on intent. Risk score 0/100 (low).
lodash 4.18.1
Automated static-analysis result. It can contain false positives and false negatives, and is not a claim about the intent of lodash's authors. Report a false positive.
Findings (2)
The component can run operating-system commands or spawn processes.
var result = new regexp.constructor(regexp.source, reFlags.exec(regexp));
var uid = /[^.]+$/.exec(coreJsData && coreJsData.keys && coreJsData.keys.IE_PROTO || '');
var uid = /[^.]+$/.exec(coreJsData && coreJsData.keys && coreJsData.keys.IE_PROTO || '');
var result = new regexp.constructor(regexp.source, reFlags.exec(regexp));
separator = RegExp(separator.source, toString(reFlags.exec(separator)) + 'g');
while ((match = separator.exec(substring))) {}function Iu(n,t,r){var e=n.length;return r=r===X?e:r,!t&&r>=e?n:au(n,t,r)}function Ou(n,t){if(t)return n.slice();var r=n.length,e=zl?zl(r):new n.constructor(r);return n.copy(e),e}function Ru(n){var t=new n.constructor(n.byteLength);return …if(!n||!(t=vu(t)))return n;var e=G(n);return Iu(e,W(e,G(t))).join("")}function Ia(n,t){var r=kn,e=In;if(fc(t)){var u="separator"in t?t.separator:u;r="length"in t?kc(t.length):r,e="omission"in t?vu(t.omission):e}n=Ec(n);var i=n.length;if(T(n …}function el(n){return n&&n.length?k(n,La):0}function ul(n,t){return n&&n.length?k(n,mi(t,2)):0}x=null==x?re:be.defaults(re.Object(),x,be.pick(re,Zr));var il=x.Array,ol=x.Date,fl=x.Error,cl=x.Function,al=x.Math,ll=x.Object,sl=x.RegExp,hl=x. …separator = RegExp(separator.source, toString(reFlags.exec(separator)) + 'g');
while ((match = separator.exec(substring))) {Why it matters: Powerful and often legitimate — confirm the commands aren't built from untrusted input.
Fix: Confirm the command and its arguments are fully controlled and not derived from untrusted input; prefer execFile with an argument array.
The component writes or deletes files on disk.
* fs.writeFileSync(path.join(process.cwd(), 'jst.js'), '\
* fs.writeFileSync(path.join(process.cwd(), 'jst.js'), '\
Why it matters: Usually legitimate, but worth confirming the paths can't be controlled by untrusted input.
Fix: Confirm which files are written/deleted and that paths cannot be influenced by untrusted input.
Check your own component
Run the same evidence-backed scan on any MCP server, agent skill, or package.
Scan your own componentOr get notified if this component's risk changes:
How we determine this: deterministic static analysis (regex + AST), evidence-anchored, no code execution. Methodology →