registry  /  @cocorograph/hub-agent  /  0.7.34

@cocorograph/hub-agent@0.7.34

Hub Hosted Cockpit のローカル常駐 agent。Hub と outbound WSS で接続し、ローカルの tmux/pty を中継する。

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 14 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 39 file(s), 807 KB of source, external domains: api.hub.cocorograph.com, hub.cocorograph.com

Source & flagged code

6 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/fix-node-pty-perms.mjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
src/plugin-loader.mjsView file
20* L21: * @returns {Promise<import('./hooks.mjs').Plugin[]>} L22: */
Medium
Dynamic Require

Package source references dynamic require/import behavior.

src/plugin-loader.mjsView on unpkg · L20
src/tui-viewer-registry.mjsView file
26export const VIEWERS_DIR = L27: process.env.COCKPIT_VIEWERS_DIR || "/tmp/cockpit_tui_viewers" L28: ... L176: try { L177: body = JSON.parse(await readFile(fp, "utf-8")) L178: } catch {
Low
Weak Crypto

Package source references weak cryptographic algorithms.

src/tui-viewer-registry.mjsView on unpkg · L26
src/service-install.mjsView file
4* - macOS: ~/Library/LaunchAgents/co.cocorograph.hub-agent.plist を install L5: * して launchctl bootstrap gui/<uid> で常駐化 L6: * - Linux: ~/.config/systemd/user/hub-agent.service を install して ... L14: import path from "node:path" L15: import { spawnSync } from "node:child_process" L16: import { fileURLToPath } from "node:url" ... L36: function macPlistPath() { L37: return path.join(os.homedir(), "Library", "LaunchAgents", `${PLIST_LABEL}.plist`) L38: } ... L66: // 通常環境への副作用はゼロ。 L67: const nodeExtraCa = process.env.NODE_EXTRA_CA_CERTS || "" L68: let plistEntry = ""
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

src/service-install.mjsView on unpkg · L4
scripts/install.shView file
path = scripts/install.sh kind = build_helper sizeBytes = 37461 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

scripts/install.shView on unpkg
src/codex-appserver-client.mjsView file
matchType = previous_version_dangerous_delta matchedPackage = @cocorograph/hub-agent@0.7.42 matchedIdentity = npm:QGNvY29yb2dyYXBoL2h1Yi1hZ2VudA:0.7.42 similarity = 0.846 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

src/codex-appserver-client.mjsView on unpkg

Findings

2 High5 Medium7 Low
HighInstall Time Lifecycle Scriptspackage.json
HighPrevious Version Dangerous Deltasrc/codex-appserver-client.mjs
MediumDynamic Requiresrc/plugin-loader.mjs
MediumEnvironment Vars
MediumInstall Persistencesrc/service-install.mjs
MediumShips Build Helperscripts/install.sh
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowWeak Cryptosrc/tui-viewer-registry.mjs
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License