registry  /  @aiderdesk/aiderdesk  /  0.74.0

@aiderdesk/aiderdesk@0.74.0

AiderDesk - AI-Powered Development Platform

Static Scan Results

scanned 4h ago · by rust-scanner

Static analysis flagged 19 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNativeBindingsNetworkShell
Supply chain
HighEntropyStringsMinifiedTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 382 file(s), 20.8 MB of source, external domains: 127.0.0.1, aider.chat, aiderdesk.hotovo.com, api.cerebras.ai, api.cline.bot, api.deepseek.com, api.groq.com, api.kimi.com, api.minimax.io, api.mistral.ai, api.neuralwatt.com, api.openai.com, api.synthetic.new, api.z.ai, app.cline.bot, app.requesty.ai, bailian.console.aliyun.com, bit.ly, cdn.jsdelivr.net, chevrotain.io, cloud.langfuse.com, coding-intl.dashscope.aliyuncs.com, console.groq.com, console.mistral.ai, dev.synthetic.new, docs.z.ai, en.wikibooks.org, en.wikipedia.org, esm.sh, eu.i.posthog.com, example.com, generativelanguage.googleapis.com, github.com, html.spec.whatwg.org, langium.org, makersuite.google.com, modelcontextprotocol.io, models.dev, opencode.ai, openrouter.ai, platform.minimax.io, platform.openai.com, portal.neuralwatt.com, pypi.org, raw.githubusercontent.com, react.dev, redux-toolkit.js.org, redux.js.org, router.requesty.ai, tex.stackexchange.com
Oversized source lightweight scan
out/renderer/assets/index-CmQY2QKE.js4.90 MB file, sampled 256 KB
No sampled risky behavior triggered.
out/renderer/assets/index-D6b3rMtW.js6.67 MB file, sampled 256 KB
No sampled risky behavior triggered.
out/renderer/assets/index-Dq3ldCAy.js26.1 MB file, sampled 256 KB
HighEntropyStringsUrlStrings127.0.0.1aider.chatexample.comgithub.comreact.devyour-dashboard.example.com

Source & flagged code

11 flagged · loading source
package.jsonView file
scripts.postinstall = patch-package && RESOURCES_DIR=./out/resources node scripts/download-probe.mjs --current-platform-only
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = patch-package && RESOURCES_DIR=./out/resources node scripts/download-probe.mjs --current-platform-only
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
out/renderer/assets/blade-BbH7YAUi.jsView file
8import "./java-BfXh-0uJ.js"; L9: const lang = Object.freeze(JSON.parse(`{"displayName":"Blade","fileTypes":["blade.php"],"foldingStartMarker":"(/\\\\*|\\\\{\\\\s*$|<<<HTML)","foldingStopMarker":"(\\\\*/|^\\\\s*}|^... L10: const blade = [
High
Child Process

Package source references child process execution.

out/renderer/assets/blade-BbH7YAUi.jsView on unpkg · L8
out/runner.jsView file
965} L966: const execAsync$3 = util.promisify(child_process.exec); L967: let cachedPath = null;
High
Shell

Package source references shell execution.

out/runner.jsView on unpkg · L965
14616const env = { L14617: ...process.env, L14618: ...environmentVariables, ... L14626: TASK_DIR: this.task.getTaskDir(), L14627: CONNECTOR_SERVER_URL: `http://localhost:${SERVER_PORT}`, L14628: CONNECTOR_CONFIRM_BEFORE_EDIT: settings.aider.confirmBeforeEdit ? "1" : "0" L14629: }; L14630: this.aiderProcess = child_process.spawn(PYTHON_COMMAND, args, { L14631: cwd: this.task.getTaskDir(),
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

out/runner.jsView on unpkg · L14616
32const os = require("os"); L33: const http = require("http"); L34: const istextorbinary = require("istextorbinary"); L35: const child_process = require("child_process"); L36: const treeKill = require("tree-kill"); ... L401: handoff: zod.z.boolean().optional(), L402: lastAgentProviderMetadata: zod.z.unknown().optional(), L403: metadata: zod.z.record(zod.z.string(), zod.z.unknown()).optional() ... L483: const mediaType = part.mediaType || "image/png"; L484: return data.startsWith("data:") ? data : `data:${mediaType};base64,${data}`; L485: }).filter((v) => v !== void 0); ... L517: };
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

out/runner.jsView on unpkg · L32
32const os = require("os"); L33: const http = require("http"); L34: const istextorbinary = require("istextorbinary"); L35: const child_process = require("child_process"); L36: const treeKill = require("tree-kill"); ... L401: handoff: zod.z.boolean().optional(), L402: lastAgentProviderMetadata: zod.z.unknown().optional(), L403: metadata: zod.z.record(zod.z.string(), zod.z.unknown()).optional() ... L483: const mediaType = part.mediaType || "image/png"; L484: return data.startsWith("data:") ? data : `data:${mediaType};base64,${data}`; L485: }).filter((v) => v !== void 0); ... L517: };
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

out/runner.jsView on unpkg · L32
bin/aiderdesk.jsView file
2L3: const path = require('path'); L4:
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/aiderdesk.jsView on unpkg · L2
out/cli.jsView file
4Cross-file remote execution chain: out/cli.js spawns out/runner.js; helper contains network access plus dynamic code execution. L4: const commander = require("commander"); L5: const child_process = require("child_process"); L6: const piTui = require("@earendil-works/pi-tui"); L7: const http = require("http"); L8: const node_stream = require("node:stream"); ... L34: const runnerPath = path.resolve(pkgRoot, "out", "runner.js"); L35: const probePlatformDir = process.platform === "win32" ? "win" : process.platform === "darwin" ? "macos" : "linux"; L36: const probeExeName = process.platform === "win32" ? "probe.exe" : "probe"; ... L39: function getPortFromEnv() { L40: const envPort = process.env.AIDER_DESK_PORT; L41: if (envPort) { ... L78: const color = isError ? "\x1B[31m" : "\x1B[33m";
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

out/cli.jsView on unpkg · L4
out/resources/connector/connector.pyView file
path = [redacted].py kind = build_helper sizeBytes = 61410 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

out/resources/connector/connector.pyView on unpkg
out/renderer/assets/index-CmQY2QKE.jsView file
path = out/renderer/assets/index-CmQY2QKE.js kind = oversized_source_file sizeBytes = 5140915 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

out/renderer/assets/index-CmQY2QKE.jsView on unpkg

Findings

7 High7 Medium5 Low
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processout/renderer/assets/blade-BbH7YAUi.js
HighShellout/runner.js
HighSame File Env Network Executionout/runner.js
HighSandbox Evasion Gated Capabilityout/runner.js
HighCross File Remote Execution Contextout/cli.js
HighOversized Source Fileout/renderer/assets/index-CmQY2QKE.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requirebin/aiderdesk.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistenceout/runner.js
MediumShips Build Helperout/resources/connector/connector.py
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings