registry  /  @anish98821/taskdir  /  0.4.3

@anish98821/taskdir@0.4.3

Local task substrate for AI coding agents. Filesystem-backed, MCP-native.

Static Scan Results

scanned 7h ago · by rust-scanner

Static analysis flagged 13 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStrings
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 60.3 KB of source

Source & flagged code

7 flagged · loading source
dist/bin/taskdir.jsView file
985// bin/cli.ts L986: import { spawn, spawnSync } from "node:child_process"; L987: import crypto from "node:crypto";
High
Child Process

Package source references child process execution.

dist/bin/taskdir.jsView on unpkg · L985
1624const result = spawnSync2( L1625: "powershell", L1626: ["-NoProfile", "-NonInteractive", "-Command", psScript],
High
Shell

Package source references shell execution.

dist/bin/taskdir.jsView on unpkg · L1624
1481} L1482: const url = `http://${displayHost(host)}:${port}`; L1483: const spinner = new Spinner(); ... L1487: const stderrChunks = []; L1488: const child = spawn( L1489: process.execPath, ... L1494: env: { L1495: ...process.env, L1496: TASKDIR_PROJECT_ROOT: projectRoot2,
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/bin/taskdir.jsView on unpkg · L1481
1474} catch (e) { L1475: process.stderr.write( L1476: `taskdir web: ${e instanceof Error ? e.message : String(e)} ... L1481: } L1482: const url = `http://${displayHost(host)}:${port}`; L1483: const spinner = new Spinner(); ... L1487: const stderrChunks = []; L1488: const child = spawn( L1489: process.execPath,
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/bin/taskdir.jsView on unpkg · L1474
1622`.trim(); L1623: const { spawnSync: spawnSync2 } = await import("node:child_process"); L1624: const result = spawnSync2(
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/bin/taskdir.jsView on unpkg · L1622
74function projectRoot() { L75: return process.env.TASKDIR_PROJECT_ROOT || process.cwd(); L76: } ... L985: // bin/cli.ts L986: import { spawn, spawnSync } from "node:child_process"; L987: import crypto from "node:crypto"; L988: import { promises as fs4, existsSync as existsSync2 } from "node:fs"; L989: import http from "node:http"; L990: import net from "node:net"; ... L1015: if (!process.stdin.isTTY) return defaultValue; L1016: const rl = readline.createInterface({ input: process.stdin, output: process.stdout }); L1017: try {
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/bin/taskdir.jsView on unpkg · L74
dist/web/.next/static/media/bbc41e54d2fcbd21-s.1rgnod-3esatf.woff2View file
path = dist/web/.[redacted]-s.1rgnod-3esatf.woff2 kind = high_entropy_blob sizeBytes = 14712 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

dist/web/.next/static/media/bbc41e54d2fcbd21-s.1rgnod-3esatf.woff2View on unpkg

Findings

5 High4 Medium4 Low
HighChild Processdist/bin/taskdir.js
HighShelldist/bin/taskdir.js
HighSame File Env Network Executiondist/bin/taskdir.js
HighCommand Output Exfiltrationdist/bin/taskdir.js
HighShips High Entropy Blobdist/web/.next/static/media/bbc41e54d2fcbd21-s.1rgnod-3esatf.woff2
MediumDynamic Requiredist/bin/taskdir.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowWeak Cryptodist/bin/taskdir.js
LowFilesystem
LowHigh Entropy Strings