registry  /  @donmai/core  /  0.9.9

@donmai/core@0.9.9

Multi-agent fleet management for coding agents — orchestrator, providers, crash recovery

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 11 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 179 file(s), 1.28 MB of source, external domains: agentskills.io, docs.sigstore.dev, json-schema.org, registry.tessl.io

Source & flagged code

4 flagged · loading source
dist/src/tools/stdio-server.jsView file
16*/ L17: import { spawn } from 'node:child_process'; L18: import { fileURLToPath } from 'node:url';
High
Child Process

Package source references child process execution.

dist/src/tools/stdio-server.jsView on unpkg · L16
dist/src/deployment/deployment-checker.jsView file
8import { promisify } from 'util'; L9: const execAsync = promisify(exec); L10: const DEFAULT_OPTIONS = {
High
Shell

Package source references shell execution.

dist/src/deployment/deployment-checker.jsView on unpkg · L8
dist/src/tools/stdio-server-entry.jsView file
26async function loadMcpSdk() { L27: const { McpServer } = await import('@[redacted].js'); L28: const { StdioServerTransport } = await import('@[redacted].js');
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/src/tools/stdio-server-entry.jsView on unpkg · L26
dist/src/workarea/local-pool.jsView file
573* Install dependencies using the configured package manager. L574: * Runs pnpm/npm/yarn install --frozen-lockfile. L575: */ ... L579: 'yarn install --frozen-lockfile'; L580: execSync(cmd, { L581: cwd: worktreePath,
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/src/workarea/local-pool.jsView on unpkg · L573

Findings

3 High4 Medium4 Low
HighChild Processdist/src/tools/stdio-server.js
HighShelldist/src/deployment/deployment-checker.js
HighRuntime Package Installdist/src/workarea/local-pool.js
MediumDynamic Requiredist/src/tools/stdio-server-entry.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings