I don’t want to market my plugin outside of WordPress right now. I have found that it works best on open-source code. I don’t know anything about xenforo but some non-open-source developers use the same methods to encrypt or obfuscate their code as hackers do which could lean to a high rate of false positives.
If you are not sure about the code in xenforo that my plugin has found then you should examine it or even try to decrypt it first to see what it does. If your don’t know what it is or how to do that you can zip it up and send it to my and I’ll take a look at it.