SkillTotal

Is lodash safe?

No malicious indicators - review capabilities before installing
Notable — review in context (capabilities are not malware):
  • Node.js shell/command execution
  • Node.js filesystem write/delete

lodash is an AI npm_package analyzed by SkillTotal's deterministic static scanner. The scan found no malicious indicators, though 2 risky constructs are reported for review. It can: filesystem write and shell execution — capabilities are what the code can do, not a verdict on intent. Risk score 0/100 (low).

lodash 4.18.1

npm_package · npm:lodash
LOW
0
/ 100 risk score
Snapshot · scanned Jul 5, 2026 · lodash@4.18.1 · engine 0.30.0 / ruleset 28

Automated static-analysis result. It can contain false positives and false negatives, and is not a claim about the intent of lodash's authors. Report a false positive.

Capabilities — what this component can do (not a risk score):
filesystem writeshell execution

Findings (2)

HIGHNode.js shell/command executionST-SHELL-NODE

The component can run operating-system commands or spawn processes.

var result = new regexp.constructor(regexp.source, reFlags.exec(regexp));
var uid = /[^.]+$/.exec(coreJsData && coreJsData.keys && coreJsData.keys.IE_PROTO || '');
var uid = /[^.]+$/.exec(coreJsData && coreJsData.keys && coreJsData.keys.IE_PROTO || '');
var result = new regexp.constructor(regexp.source, reFlags.exec(regexp));
separator = RegExp(separator.source, toString(reFlags.exec(separator)) + 'g');
while ((match = separator.exec(substring))) {
}function Iu(n,t,r){var e=n.length;return r=r===X?e:r,!t&&r>=e?n:au(n,t,r)}function Ou(n,t){if(t)return n.slice();var r=n.length,e=zl?zl(r):new n.constructor(r);return n.copy(e),e}function Ru(n){var t=new n.constructor(n.byteLength);return …
if(!n||!(t=vu(t)))return n;var e=G(n);return Iu(e,W(e,G(t))).join("")}function Ia(n,t){var r=kn,e=In;if(fc(t)){var u="separator"in t?t.separator:u;r="length"in t?kc(t.length):r,e="omission"in t?vu(t.omission):e}n=Ec(n);var i=n.length;if(T(n …
}function el(n){return n&&n.length?k(n,La):0}function ul(n,t){return n&&n.length?k(n,mi(t,2)):0}x=null==x?re:be.defaults(re.Object(),x,be.pick(re,Zr));var il=x.Array,ol=x.Date,fl=x.Error,cl=x.Function,al=x.Math,ll=x.Object,sl=x.RegExp,hl=x. …
separator = RegExp(separator.source, toString(reFlags.exec(separator)) + 'g');
while ((match = separator.exec(substring))) {

Why it matters: Powerful and often legitimate — confirm the commands aren't built from untrusted input.

Fix: Confirm the command and its arguments are fully controlled and not derived from untrusted input; prefer execFile with an argument array.

MEDIUMNode.js filesystem write/deleteST-FS-NODE-WRITE

The component writes or deletes files on disk.

* fs.writeFileSync(path.join(process.cwd(), 'jst.js'), '\
* fs.writeFileSync(path.join(process.cwd(), 'jst.js'), '\

Why it matters: Usually legitimate, but worth confirming the paths can't be controlled by untrusted input.

Fix: Confirm which files are written/deleted and that paths cannot be influenced by untrusted input.

Check your own component

Run the same evidence-backed scan on any MCP server, agent skill, or package.

Scan your own component

Or get notified if this component's risk changes:

How we determine this: deterministic static analysis (regex + AST), evidence-anchored, no code execution. Methodology →