PluginScan is a simple anti-malware scanner which helps to automatically detect suspicious code patterns in compiled Minecraft plugins. It supports scanning of any jar files, but all its checks are mainly designed to detect popular Minecraft APIs (Spigot, Bungee, etc.) interactions.

Note, that PluginScan is still in a very early development state, so there are still many things that don't work very well.

Web version [Open]
Simplest way to use PluginScan - visit a website. You can just drop the plugin on the web page, and it will be scanned. Notice, that all scanning is fully done client-side in your browser, so you don't need to worry about plugins getting leaked or something. It is achieved by compiling whole PluginScan code into JavaScript via Kotlin/JS compiler, but it has a downside - bad performance. So if you need to scan a bunch of plugins at one time - use CLI version.

CLI Version [Download]
PluginScan can also be used as a simple JVM-powered CLI tool. You can just download it from this SpigotMC resource or from GitHub releases page.
Usage:
Understanding reports
PluginScan reports contain risk level, short threat description, information about how it was detected and location of potentially malicious pattern (e.g. name of class where it was detected).
There are 4 risk levels: low, moderate, high and critical.

• Low risk level is usually given to checks with big chance of false-detects.
• Moderate level usually marks reports that really need your attention. There are still big chance that everything ok, but you're better to check it by yourself if you got plugin from not so trustable source.
  
• High risk level marks reports related to things, that plugins not usually supposed to do, like, for example, loading DLLs in runtime. There are still chance of legit code, but you definitely should check plugin manually if your server security is important for you.
  
• Critical risk level is given to really uncommon and dangerous plugin behavior, like, for example, executing OS commands.

Note, that PluginScan results are not 100% proof of anything. It's just a tool, and you must have at least basic knowledge of Java and Spigot/Bungee/etc. API in order to correctly understand its output. Getting 0 reports about a plugin doesn't guarantee its safety, because there are thousands of ways to fool automated scanning tools. Conversely, the presence of reports even with a high risk level does not mean that the plugin contains malware. For example, there is nothing suspicious about the fact that permission plugin uses setOp API internally. But the same report notifying about use of setOp would look strange when scanning the chat colorful messages plugin.

More information is available in README on GitHub