No confirmed malicious attack surface. The package indexes a Unity project and writes package-owned `.dynamo` artifacts; its process launches are tied to explicit Unity project-open functionality.
Static reason
High-risk behavior combination matched malicious policy.
Trigger
Runtime indexing or an explicit Unity project-open operation through the provider.
Impact
Reads Unity project content and creates `.dynamo` index/knowledge-base files in the selected project.
Mechanism
Local Unity project indexing, metadata generation, and optional Unity editor launch.
Rationale
Source inspection finds obfuscated but package-aligned Unity indexing and explicit editor-control functionality, not exfiltration, remote payload delivery, persistence, or install-time mutation. The scanner verdict is unsupported by a concrete malicious execution chain.
Evidence
package.jsondist/index.jsdist/parse-worker.jsdist/index.d.tsREADME.md.dynamo/project-index.json.dynamo/kb/ProjectSettings/ProjectSettings.assetProjectSettings/DynamoMcpConfig.asset