registry  /  @canonmsg/core  /  4.2.3

@canonmsg/core@4.2.3

Canon core — shared types, REST client, SSE stream, and registration for Canon messaging

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 9 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 41 file(s), 345 KB of source, external domains: api-6m6mlelskq-uc.a.run.app, canon-agent-stream-195218560334.us-central1.run.app, identitytoolkit.googleapis.com, project-007a8e71-ba01-49e6-8aa-default-rtdb.firebaseio.com

Source & flagged code

3 flagged · loading source
dist/constants.jsView file
4patternName = google_api_key severity = high line = 4 matchedText = export c...lE';
High
High Secret

Package contains a high-severity secret pattern.

dist/constants.jsView on unpkg · L4
4patternName = google_api_key severity = high line = 4 matchedText = export c...lE';
High
Secret Pattern

Google API key in dist/constants.js

dist/constants.jsView on unpkg · L4
dist/constants.d.tsView file
4patternName = google_api_key severity = high line = 4 matchedText = export d...lE";
High
Secret Pattern

Google API key in dist/constants.d.ts

dist/constants.d.tsView on unpkg · L4

Findings

3 High2 Medium4 Low
HighHigh Secretdist/constants.js
HighSecret Patterndist/constants.js
HighSecret Patterndist/constants.d.ts
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings