registry  /  @ciandt-flow/flow-ai-obs  /  0.8.1

@ciandt-flow/flow-ai-obs@0.8.1

Claude Code hooks for Langfuse OTLP tracing — cross-platform

Static Scan Results

scanned 3h ago · by rust-scanner

Static analysis flagged 18 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
Manifest
NoLicense
scanned 3 file(s), 124 KB of source, external domains: flow.ciandt.com, github.com, nodejs.org, registry.npmjs.org

Source & flagged code

8 flagged · loading source
package.jsonView file
scripts.postinstall = node -e "require('fs').existsSync('dist/setup.js') && require('child_process').execFileSync(process.execPath, ['dist/setup.js'], {stdio:'inherit'})"
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node -e "require('fs').existsSync('dist/setup.js') && require('child_process').execFileSync(process.execPath, ['dist/setup.js'], {stdio:'inherit'})"
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
dist/index.jsView file
1'use strict';var child_process=require('child_process'),util=require('util'),I=require('fs'),x=require('path'),fe=require('os'),Je=require('https'),je=require('http'),crypto=requir... L2: `;try{I.writeFileSync(We,e,{flag:"a"});}catch(r){process.stderr.write(`[flow-obs debug ERROR] ${r.message}
High
Child Process

Package source references child process execution.

dist/index.jsView on unpkg · L1
1'use strict';var child_process=require('child_process'),util=require('util'),I=require('fs'),x=require('path'),fe=require('os'),Je=require('https'),je=require('http'),crypto=requir... L2: `;try{I.writeFileSync(We,e,{flag:"a"});}catch(r){process.stderr.write(`[flow-obs debug ERROR] ${r.message}
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/index.jsView on unpkg · L1
1'use strict';var child_process=require('child_process'),util=require('util'),I=require('fs'),x=require('path'),fe=require('os'),Je=require('https'),je=require('http'),crypto=requir... L2: `;try{I.writeFileSync(We,e,{flag:"a"});}catch(r){process.stderr.write(`[flow-obs debug ERROR] ${r.message}
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/index.jsView on unpkg · L1
dist/cli.jsView file
1#!/usr/bin/env node L2: 'use strict';var Pe=require('readline/promises'),ms=require('https'),g=require('fs'),lt=require('os'),It=require('path'),child_process=require('child_process'),Ps=require('http'),u... L3: `);}catch(i){throw r.close(),i}if(r.close(),e!==void 0)return e;throw new Error("Too many invalid attempts for yes/no prompt")}async function Sr(t,e){let r=Pe__namespace.createInte... L4: \u256D${i}\u256E ... L27: `;try{g.writeFileSync(Rs,e,{flag:"a"});}catch(r){process.stderr.write(`[flow-obs debug ERROR] ${r.message} L28: `);}}var Rs,D=m(()=>{"use strict";O();Rs=It.join(lt.tmpdir(),vr);});function Cs(t){if(!bs.test(t))throw new Error(`Invalid tenant value: "${t}". Tenant must be lowercase alphanumer... L29: `+L(` \u2717 flow-ai-obs is not supported in a sudo context. ... L32: `)+` L33: `),1}var Mt=m(()=>{"use strict";it();});function Ir(){if(process.platform==="linux"&&process.getuid?.()===0&&process.env.SUDO_USER){let e=child_process.spawnSync("getent",["passwd"... L34: `,{encoding:"utf8",mode:384});try{g__namespace.chmodSync(t,384);}catch{}}finally{fe(e);}return {settingsPath:t,preserved:r}}function Rt(t){try{let e=g__namespace.readFileSync(v(),"... ... L36: `,{enc
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/cli.jsView on unpkg · L1
1Cross-file remote execution chain: dist/cli.js spawns dist/index.js; helper contains network access plus dynamic code execution. L1: #!/usr/bin/env node L2: 'use strict';var Pe=require('readline/promises'),ms=require('https'),g=require('fs'),lt=require('os'),It=require('path'),child_process=require('child_process'),Ps=require('http'),u... L3: `);}catch(i){throw r.close(),i}if(r.close(),e!==void 0)return e;throw new Error("Too many invalid attempts for yes/no prompt")}async function Sr(t,e){let r=Pe__namespace.createInte... L4: \u256D${i}\u256E ... L27: `;try{g.writeFileSync(Rs,e,{flag:"a"});}catch(r){process.stderr.write(`[flow-obs debug ERROR] ${r.message} L28: `);}}var Rs,D=m(()=>{"use strict";O();Rs=It.join(lt.tmpdir(),vr);});function Cs(t){if(!bs.test(t))throw new Error(`Invalid tenant value: "${t}". Tenant must be lowercase alphanumer... L29: `+L(` \u2717 flow-ai-obs is not supported in a sudo context. ... L32: `)+` L33: `),1}var Mt=m(()=>{"use strict";it();});function Ir(){if(process.platform==="linux"&&process.getuid?.()===0&&process.env.SUDO_USER){let e=child_process.spawnSync("getent",["passwd"... L34: `,{encoding:"utf8",mode:384});try{g__namespace.chmodSync(t,384);}catc…
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/cli.jsView on unpkg · L1
19`),d(_));}let A=setTimeout(()=>T(false),e);h.once("line",_=>T(_.trim().toLowerCase()==="y")),h.once("close",()=>T(false));})}async function Ss(t){let e=C().name;return process.stde... L20: `),new Promise(r=>{let n=child_process.spawn("npm",["install","-g",`${e}@${t}`],{stdio:"inherit"});n.on("close",s=>{s!==0?process.stderr.write(` \u2717 Update failed \u2014 contin... L21: ... L30: L31: `)+R(` npm install -g @ciandt-flow/flow-ai-obs L32: `)+`
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/cli.jsView on unpkg · L19

Findings

7 High4 Medium7 Low
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processdist/index.js
HighSame File Env Network Executiondist/index.js
HighCommand Output Exfiltrationdist/index.js
HighSandbox Evasion Gated Capabilitydist/cli.js
HighCross File Remote Execution Contextdist/cli.js
HighRuntime Package Installdist/cli.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings
LowNo License