evidence-heavy-evaluator

The script is a legitimate evidence collection tool that intentionally includes functionality to execute repository-provided scripts and a repository-supplied renderer. The file itself contains no obvious malicious payloads, hard-coded secrets, or obfuscation. However, when run with --execute-checks (and DEPTH=deep) or when `uv` is available and the renderer exists, it will execute untrusted code from the target repository (package scripts and Python renderer), which can perform arbitrary actions on the host (including data access, network access, and modifications). This represents a significant supply-chain/execution risk. Recommendation: only run against trusted repositories or inside isolated environments (ephemeral containers, restricted VMs, or with network/file-system restrictions), and review package.json scripts and the renderer before enabling execution.