registry  /  @aidraw/agentdraw  /  0.1.14

@aidraw/agentdraw@0.1.14

⚠ Under review

Local-first editable whiteboard workspace for coding agents.

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 17 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedObfuscatedProtestwareTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 130 file(s), 7.83 MB of source, external domains: app.excalidraw.com, chevrotain.io, discord.gg, docs.excalidraw.com, en.wikipedia.org, excalidraw-room-persistence.firebaseio.com, github.com, json.excalidraw.com, langium.org, libraries.excalidraw.com, mermaid.js.org, oss-ai.excalidraw.com, oss-collab.excalidraw.com, player.vimeo.com, plus.excalidraw.com, react.dev, us-central1-excalidraw-room-persistence.cloudfunctions.net, www.w3.org, www.youtube.com, x.com, youtube.com

Source & flagged code

7 flagged · loading source
web-dist/assets/subset-shared.chunk-62dPLQau.jsView file
22patternName = aws_access_key severity = critical line = 22 matchedText = `,X.push...64};
Critical
Critical Secret

Package contains a critical-looking secret pattern.

web-dist/assets/subset-shared.chunk-62dPLQau.jsView on unpkg · L22
22patternName = aws_access_key severity = critical line = 22 matchedText = `,X.push...64};
Critical
Secret Pattern

AWS access key ID in web-dist/assets/subset-shared.chunk-62dPLQau.js

web-dist/assets/subset-shared.chunk-62dPLQau.jsView on unpkg · L22
1import{f as Vg}from"./index-Bg0bRLch.js";var vC=(()=>{let F=new Uint8Array(128);for(let L=0;L<64;L++)F[L<26?L+65:L<52?L+71:L<62?L-4:L*4-205]=L;return L=>{let I=L.length,c=new Uint8... L2: ${I.extraStackTrace()}`),hI(A)}function sI(A,g,C,Q){w(`Assertion failed: ${$(A)}, at: ${[g?$(g):"unknown filename",C,Q?$(Q):"unknown function"]}`)}function NI(A){return yA(A)}funct... L3: "use strict"; return body.apply(this, arguments);
Low
Eval

Package source references a known benign dynamic code generation pattern.

web-dist/assets/subset-shared.chunk-62dPLQau.jsView on unpkg · L1
web-dist/assets/index-Bg0bRLch.jsView file
100contains invisible/control Unicode U+202A (left-to-right embedding) `)},Hte=0,qc=[];function Xte(e){var t=D.useRef([]),n=D.useRef([0,0]),a=D.useRef(),i=D.useState(Hte++)[0],l=D.useState(zA)[0],s=D.useRef(e);D.useEffect(function(){s.current=e},[e]),D.useEffect(function(){if(e.inert){document.body.classList.a
Critical
Trojan Source Unicode

Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

web-dist/assets/index-Bg0bRLch.jsView on unpkg · L100
10patternName = google_api_key severity = high line = 10 matchedText = `).repla...AZZX
High
Secret Pattern

Google API key in web-dist/assets/index-Bg0bRLch.js

web-dist/assets/index-Bg0bRLch.jsView on unpkg · L10
web-dist/assets/Assistant-Bold-gm-uSS1B.woff2View file
path = web-dist/assets/Assistant-Bold-gm-uSS1B.woff2 kind = high_entropy_blob sizeBytes = 20380 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

web-dist/assets/Assistant-Bold-gm-uSS1B.woff2View on unpkg
dist/index.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @aidraw/agentdraw@0.1.12 matchedIdentity = npm:QGFpZHJhdy9hZ2VudGRyYXc:0.1.12 similarity = 0.992 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/index.jsView on unpkg

Findings

3 Critical3 High4 Medium7 Low
CriticalCritical Secretweb-dist/assets/subset-shared.chunk-62dPLQau.js
CriticalTrojan Source Unicodeweb-dist/assets/index-Bg0bRLch.js
CriticalSecret Patternweb-dist/assets/subset-shared.chunk-62dPLQau.js
HighShips High Entropy Blobweb-dist/assets/Assistant-Bold-gm-uSS1B.woff2
HighPrevious Version Dangerous Deltadist/index.js
HighSecret Patternweb-dist/assets/index-Bg0bRLch.js
MediumNetwork
MediumEnvironment Vars
MediumProtestware
MediumStructural Risk Force Deep Review
LowScripts Present
LowEvalweb-dist/assets/subset-shared.chunk-62dPLQau.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings