this is actually an interesting idea to re-implement! imagine a JS runtime with hooks all over the place. these hooks look for `chmod`, `rm -r ~`/`rm -rf /` and such, intercept network requests, and scan variables for known API key patterns, e.g `sk_****`.