registry  /  @bastani/atomic  /  0.9.4

@bastani/atomic@0.9.4

Atomic coding agent CLI with read, bash, edit, write tools and session management

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 14 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 1,229 file(s), 9.65 MB of source, external domains: 127.0.0.1, accounts.google.com, api.anthropic.com, api.enterprise.githubcopilot.com, api.exa.ai, api.github.com, api.githubcopilot.com, api.individual.githubcopilot.com, api.perplexity.ai, api2.cursor.sh, atomic.sh, cdn.jsdelivr.net, claude.ai, cli.github.com, cloud.gitlab.com, console.anthropic.com, content-push.googleapis.com, cursor.com, distro.ibiblio.org, dribbble.com, example.com, fonts.googleapis.com, fonts.gstatic.com, gemini.google.com, generativelanguage.googleapis.com, git-scm.com, github.com, gitlab.com, img.youtube.com, impeccable.style, json-schema.org, mariozechner.at, mcp.exa.ai, mistral.ai, motionsites.ai, perplexity.ai, pi.dev, r.jina.ai, recent.design, registry.npmjs.org, shittycodingagent.ai, www.awwwards.com, www.google.com, www.monet.design, www.w3.org, www.youtube.com

Source & flagged code

6 flagged · loading source
examples/extensions/doom-overlay/doom-engine.tsView file
64const nativeRequire = createRequire(doomJsPath); L65: const moduleFunc = new Function("module", "exports", "__dirname", "__filename", "require", doomJsCode); L66: moduleFunc(moduleExports, moduleExports.exports, buildDir, doomJsPath, nativeRequire);
Low
Eval

Package source references a known benign dynamic code generation pattern.

examples/extensions/doom-overlay/doom-engine.tsView on unpkg · L64
dist/core/tools/search-native.jsView file
9try { L10: const require = createModuleRequire(import.meta.url); L11: const binding = require("@bastani/atomic-natives");
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/core/tools/search-native.jsView on unpkg · L9
dist/builtin/workflows/skills/impeccable/scripts/live/svelte-component.mjsView file
20export function [redacted](filePath) { L21: if (/^(0|false|no)$/i.test(process.env.IMPECCABLE_LIVE_SVELTE_COMPONENT || '')) return false; L22: return path.extname(filePath).toLowerCase() === '.svelte'; ... L24: L25: export function componentSessionDir(id, cwd = process.cwd()) { L26: return path.join(cwd, SVELTE_COMPONENT_ROOT, id); ... L255: export function readManifest(manifestPath) { L256: const data = JSON.parse(fs.readFileSync(manifestPath, 'utf-8')); L257: return {
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/builtin/workflows/skills/impeccable/scripts/live/svelte-component.mjsView on unpkg · L20
dist/core/tools/fetch-url.jsView file
16*/ L17: import { lookup } from "node:dns/promises"; L18: import { ipFamily, isPrivateIpAddress, normalizeIpLiteralHost } from "./url-ip-guards.js"; L19: import { LRUCache } from "lru-cache"; ... L204: throw new Error(`Unsupported URL protocol: ${parsed.protocol}`); L205: if (process.env.ATOMIC_ALLOW_PRIVATE_URL_READS === "1") L206: return undefined; ... L226: if (!response.body) { L227: const buffer = Buffer.from(await response.arrayBuffer()); L228: if (buffer.length > MAX_URL_RESPONSE_BYTES)
High
Cloud Metadata Access

Source reaches cloud instance metadata or link-local credential endpoints.

dist/core/tools/fetch-url.jsView on unpkg · L16
dist/builtin/subagents/skills/tmux/scripts/wait-for-text.shView file
path = [redacted]-for-text.sh kind = build_helper sizeBytes = 2138 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

dist/builtin/subagents/skills/tmux/scripts/wait-for-text.shView on unpkg
dist/core/tools/bash.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @bastani/atomic@0.9.3 matchedIdentity = npm:QGJhc3RhbmkvYXRvbWlj:0.9.3 similarity = 0.775 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/core/tools/bash.jsView on unpkg

Findings

2 High5 Medium7 Low
HighCloud Metadata Accessdist/core/tools/fetch-url.js
HighPrevious Version Dangerous Deltadist/core/tools/bash.js
MediumDynamic Requiredist/core/tools/search-native.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperdist/builtin/subagents/skills/tmux/scripts/wait-for-text.sh
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvalexamples/extensions/doom-overlay/doom-engine.ts
LowWeak Cryptodist/builtin/workflows/skills/impeccable/scripts/live/svelte-component.mjs
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings