registry  /  @checksum-ai/runtime  /  4.7.0

@checksum-ai/runtime@4.7.0

Checksum.ai test runtime

Static Scan Results

scanned 14d ago · by rust-scanner

Static analysis flagged 19 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 19 file(s), 1.46 MB of source, external domains: 127.0.0.1, api.checksum.ai, app.checksum.ai, feross.org, github.com, jimmy.warting.se, lodash.com, npms.io, openjsf.org, socket.io, underscorejs.org, www.apache.org
Oversized source lightweight scan
cli.js6.03 MB file, sampled 256 KB
FilesystemNetworkChildProcessEnvironmentVarsCryptoObfuscatedHighEntropyStringsMinifiedUrlStringsapi.checksum.aiapp.checksum.aigithub.comjimmy.warting.selodash.comnpms.ioopenjsf.orgunderscorejs.orgwww.apache.org
index.js5.90 MB file, sampled 256 KB
FilesystemNetworkChildProcessEnvironmentVarsEvalCryptoHighEntropyStringsMinifiedUrlStringsapi.checksum.aifeross.orggithub.comjimmy.warting.selodash.comnpms.ioopenjsf.orgsocket.iounderscorejs.orgwww.apache.org
test-run-monitor.js4.21 MB file, sampled 256 KB
FilesystemNetworkChildProcessEnvironmentVarsCryptoObfuscatedHighEntropyStringsMinifiedUrlStringsapi.checksum.aiwww.apache.org

Source & flagged code

11 flagged · loading source
1patternName = blocked_file severity = critical matchedText = .env redactedSecretContext = secretLikeLines = 1 L1: CHECKSUM_RUNTIME_BUILD_TIME=<redacted:24 token-like>
Critical
Critical Secret

Package contains a critical-looking secret pattern.

.envView on unpkg · L1
postinstall.jsView file
2const path = require("path"); L3: const { exec } = require("child_process"); L4:
High
Child Process

Package source references child process execution.

postinstall.jsView on unpkg · L2
30return new Promise((resolve, reject) => { L31: exec("npx playwright install", (error, stdout, stderr) => { L32: if (error) {
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

postinstall.jsView on unpkg · L30
1const fs = require("fs"); L2: const path = require("path");
Medium
Dynamic Require

Package source references dynamic require/import behavior.

postinstall.jsView on unpkg · L1
checksumlib.jsView file
74now you can use replayer.getMirror() to access the mirror instance of a replayer,\r L75: or you can use record.mirror to access the mirror instance during recording.`,jb={map:{},getId(){return console.error(pi),-1},getNode(){return console.error(pi),null},removeNodeFro... L76: ${t.locator}`);r!==null&&this.sessionRecorder.addCustomEvent("assertion",{matcher:`toHaveText("${r}")`,locator:t.locator})},"toHaveTextHandler");this.toBeVisibleHandler=a(()=>e=>{l...
Low
Eval

Package source references a known benign dynamic code generation pattern.

checksumlib.jsView on unpkg · L74
scripts/playwright_patches/1.52.0.jsView file
294// reported: false, L295: // userData: undefined, L296: // stepId: undefined ... L370: L371: const isRuntime = true || process.env.RUNTIME === "true"; L372:
Low
Weak Crypto

Package source references weak cryptographic algorithms.

scripts/playwright_patches/1.52.0.jsView on unpkg · L294
index.jsView file
path = index.js kind = oversized_source_file sizeBytes = 6190458 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

index.jsView on unpkg
cli.jsView file
path = cli.js kind = oversized_cli_entrypoint sizeBytes = 6318494 magicHex = [redacted]
Medium
Oversized Cli Entrypoint

Package contains an oversized executable-looking CLI entrypoint.

cli.jsView on unpkg
checksum-root/checksum.config.tsView file
44patternName = generic_password severity = medium line = 44 matchedText = password...d>",
Medium
Secret Pattern

Hardcoded password in checksum-root/checksum.config.ts

checksum-root/checksum.config.tsView on unpkg · L44
README.mdView file
110patternName = generic_password severity = medium line = 110 matchedText = password...d>",
Medium
Secret Pattern

Hardcoded password in README.md

README.mdView on unpkg · L110
115patternName = generic_password severity = medium line = 115 matchedText = password...d>",
Medium
Secret Pattern

Hardcoded password in README.md

README.mdView on unpkg · L115

Findings

1 Critical5 High8 Medium5 Low
CriticalCritical Secret.env
HighChild Processpostinstall.js
HighShell
HighRuntime Package Installpostinstall.js
HighObfuscated
HighOversized Source Fileindex.js
MediumDynamic Requirepostinstall.js
MediumNetwork
MediumEnvironment Vars
MediumOversized Cli Entrypointcli.js
MediumStructural Risk Force Deep Review
MediumSecret Patternchecksum-root/checksum.config.ts
MediumSecret PatternREADME.md
MediumSecret PatternREADME.md
LowEvalchecksumlib.js
LowWeak Cryptoscripts/playwright_patches/1.52.0.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings