registry  /  @castlemilk/omega  /  0.6.16

@castlemilk/omega@0.6.16

Omega Harness CLI - installable via npx

Static Scan Results

scanned 2d ago · by rust-scanner

Static analysis completed at 93.0% confidence. No malicious behavior was detected; 12 low-signal pattern(s) were surfaced and cleared.

Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 53 file(s), 1.77 MB of source, external domains: example.com, reactjs.org, www.w3.org

Source & flagged code

4 flagged · loading source
dist/server/dist/routes/benchmarks.jsView file
4import { fileURLToPath } from 'node:url'; L5: import { spawn } from 'node:child_process'; L6: import { z } from 'zod';
High
Child Process

Package source references child process execution.

dist/server/dist/routes/benchmarks.jsView on unpkg · L4
dist/cli.jsView file
583stdio: "inherit", L584: shell: true, L585: env
High
Shell

Package source references shell execution.

dist/cli.jsView on unpkg · L583
573const grpcPort = await findAvailablePort(DEFAULT_GRPC_PORT, MAX_GRPC_PORT); L574: apiUrl = `http://localhost:${port.toString()}`; L575: process.env.HARNESS_API_URL = apiUrl; L576: const env = { ... L581: }; L582: server = startBundledServer(env) ?? spawn("pnpm", ["--filter", "@omega/server", "dev"], { L583: stdio: "inherit",
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/cli.jsView on unpkg · L573
matchType = previous_version_dangerous_delta matchedPackage = @castlemilk/omega@0.6.12 matchedIdentity = npm:QGNhc3RsZW1pbGsvb21lZ2E:0.6.12 similarity = 0.848 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/cli.jsView on unpkg

Findings

4 High3 Medium5 Low
HighChild Processdist/server/dist/routes/benchmarks.js
HighShelldist/cli.js
HighSame File Env Network Executiondist/cli.js
HighPrevious Version Dangerous Deltadist/cli.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings