registry  /  @alan-zhao/yolk-pi-web  /  0.7.12

@alan-zhao/yolk-pi-web@0.7.12

yolk pi web WebChat workspace for the pi coding agent

Static Scan Results

scanned 4h ago · by rust-scanner

Static analysis flagged 14 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 19 file(s), 338 KB of source, external domains: 127.0.0.1, example.com, example.local

Source & flagged code

6 flagged · loading source
scripts/test-terminal-ssh-config.mjsView file
108patternName = generic_password severity = medium line = 108 matchedText = await wr... });
Medium
Secret Pattern

Package contains a possible secret pattern.

scripts/test-terminal-ssh-config.mjsView on unpkg · L108
bin/ypic.jsView file
26// eslint-disable-next-line @typescript-eslint/no-require-imports L27: const { parseArgs } = require("util"); L28: // eslint-disable-next-line @typescript-eslint/no-require-imports
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/ypic.jsView on unpkg · L26
scripts/start-pi-web-proxy.ps1View file
path = scripts/start-pi-web-proxy.ps1 kind = build_helper sizeBytes = 1322 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

scripts/start-pi-web-proxy.ps1View on unpkg
.next/server/app/favicon.ico.bodyView file
path = .next/server/app/favicon.ico.body kind = high_entropy_blob sizeBytes = 22542 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

.next/server/app/favicon.ico.bodyView on unpkg
.next/server/app/page.jsView file
path = .next/server/app/page.js kind = payload_in_excluded_dir sizeBytes = 2730128 magicHex = [redacted]
High
Payload In Excluded Dir

Package hides binary, compressed, or executable-looking payloads in test/fixture/hidden paths.

.next/server/app/page.jsView on unpkg
path = .next/server/app/page.js kind = oversized_source_file sizeBytes = 2730128 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

.next/server/app/page.jsView on unpkg

Findings

3 High6 Medium5 Low
HighShips High Entropy Blob.next/server/app/favicon.ico.body
HighPayload In Excluded Dir.next/server/app/page.js
HighOversized Source File.next/server/app/page.js
MediumSecret Patternscripts/test-terminal-ssh-config.mjs
MediumDynamic Requirebin/ypic.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperscripts/start-pi-web-proxy.ps1
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings