registry  /  @aion0/forge  /  0.11.20

@aion0/forge@0.11.20

⚠ Under review

Unified AI workflow platform — multi-model task orchestration, persistent sessions, web terminal, remote access

Static Scan Results

scanned 4d ago · by rust-scanner

Static analysis flagged 21 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 476 file(s), 4.53 MB of source, external domains: 0.0.0.0, 127.0.0.1, api.anthropic.com, api.deepseek.com, api.github.com, api.openai.com, api.telegram.org, api.x.ai, cli.github.com, dashscope.aliyuncs.com, example.com, generativelanguage.googleapis.com, git-scm.com, github.com, gitlab.com, nvd.nist.gov, raw.githubusercontent.com, registry.npmjs.org, www.w3.org

Source & flagged code

14 flagged · loading source
app/api/craft-system/publish/auto/route.tsView file
19// args[0] is the program; the rest are literal arguments. Throws on non-zero exit. L20: function exec(args: readonly string[], cwd?: string, timeout = 60000): string { L21: return run(args[0], args.slice(1), { cwd, timeout, maxBuffer: 10 * 1024 * 1024 });
High
Child Process

Package source references child process execution.

app/api/craft-system/publish/auto/route.tsView on unpkg · L19
lib/plugins/executor.tsView file
140async function executeShell(action: PluginAction, ctx: Record<string, any>): Promise<PluginActionResult> { L141: // Shell actions run a free-form `/bin/sh -c` built from a template + request L142: // params — RCE by design. Enforce the operator opt-in flag HERE, at the single
High
Shell

Package source references shell execution.

lib/plugins/executor.tsView on unpkg · L140
lib/crafts/runtime.tsView file
16// Function-wrapped dynamic import so Turbopack doesn't try to statically resolve the URL. L17: const dynamicImport = new Function('u', 'return import(u)') as (u: string) => Promise<any>; L18:
Low
Eval

Package source references a known benign dynamic code generation pattern.

lib/crafts/runtime.tsView on unpkg · L16
app/api/monitor/route.tsView file
101try { L102: const { readFileSync } = require('fs'); L103: const { join } = require('path');
Medium
Dynamic Require

Package source references dynamic require/import behavior.

app/api/monitor/route.tsView on unpkg · L101
app/api/crafts/route.tsView file
13const projectPath = url.searchParams.get('projectPath'); L14: if (!projectPath) return NextResponse.json({ error: 'projectPath required' }, { status: 400 }); L15: const all = listProjectCrafts(projectPath);
Low
Weak Crypto

Package source references weak cryptographic algorithms.

app/api/crafts/route.tsView on unpkg · L13
cli/mw.mjsView file
501}); L502: import { execSync, spawnSync } from "node:child_process"; L503: import { existsSync as existsSync2, readdirSync, statSync } from "node:fs"; ... L507: const port = portArgIdx >= 0 ? process.argv[portArgIdx + 1] : void 0; L508: return process.env.MW_URL || `http://localhost:${port || "8403"}`; L509: }
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

cli/mw.mjsView on unpkg · L501
bin/forge-server.mjsView file
67// installed npm-package copy (.npmrc isn't published). L68: execSync('npm install --include=dev --legacy-peer-deps', { cwd: ROOT, stdio: 'inherit' }); L69: }
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

bin/forge-server.mjsView on unpkg · L67
check-forge-status.shView file
path = check-forge-status.sh kind = build_helper sizeBytes = 2985 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

check-forge-status.shView on unpkg
docs/Forge_Strategy_Research_2026.docxView file
path = docs/Forge_Strategy_Research_2026.docx kind = high_entropy_blob sizeBytes = 23982 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

docs/Forge_Strategy_Research_2026.docxView on unpkg
path = docs/Forge_Strategy_Research_2026.docx kind = compressed_blob sizeBytes = 23982 magicHex = [redacted]
Medium
Ships Compressed Blob

Package ships compressed or archive-like blobs.

docs/Forge_Strategy_Research_2026.docxView on unpkg
path = docs/Forge_Strategy_Research_2026.docx kind = nested_archive_needs_inspection sizeBytes = 23982 magicHex = [redacted]
Low
Nested Archive Needs Inspection

Package ships a nested archive or MCP bundle that was inventoried but not recursively analyzed.

docs/Forge_Strategy_Research_2026.docxView on unpkg
cli/mw.tsView file
matchType = previous_version_dangerous_delta matchedPackage = @aion0/forge@0.11.19 matchedIdentity = npm:QGFpb24wL2Zvcmdl:0.11.19 similarity = 0.975 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version.

cli/mw.tsView on unpkg
lib/help-docs/21-build-connector.mdView file
159patternName = generic_password severity = medium line = 159 matchedText = password...en}'
Medium
Secret Pattern

Hardcoded password in lib/help-docs/21-build-connector.md

lib/help-docs/21-build-connector.mdView on unpkg · L159
208patternName = generic_password severity = medium line = 208 matchedText = password...rd}'
Medium
Secret Pattern

Hardcoded password in lib/help-docs/21-build-connector.md

lib/help-docs/21-build-connector.mdView on unpkg · L208

Findings

1 Critical5 High8 Medium7 Low
CriticalPrevious Version Dangerous Deltacli/mw.ts
HighChild Processapp/api/craft-system/publish/auto/route.ts
HighShelllib/plugins/executor.ts
HighSame File Env Network Executioncli/mw.mjs
HighRuntime Package Installbin/forge-server.mjs
HighShips High Entropy Blobdocs/Forge_Strategy_Research_2026.docx
MediumDynamic Requireapp/api/monitor/route.ts
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helpercheck-forge-status.sh
MediumShips Compressed Blobdocs/Forge_Strategy_Research_2026.docx
MediumStructural Risk Force Deep Review
MediumSecret Patternlib/help-docs/21-build-connector.md
MediumSecret Patternlib/help-docs/21-build-connector.md
LowScripts Present
LowEvallib/crafts/runtime.ts
LowWeak Cryptoapp/api/crafts/route.ts
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNested Archive Needs Inspectiondocs/Forge_Strategy_Research_2026.docx