Lines 1-35javascript
1import { readdirSync, readFileSync, existsSync, statSync } from "fs";
2import { join, resolve, basename } from "path";
3import chalk from "chalk";
4import { expandPath, loadConfig, findWorkspace } from "../../utils/config.js";
5const SUSPICIOUS_PATTERNS = [
7 { pattern: /skillpay/i, label: "SkillPay billing integration", severity: "high", category: "billing" },
8 { pattern: /billing[._]charge/i, label: "Billing charge call", severity: "high", category: "billing" },
9 { pattern: /payment_url|payment.link|paymentIntent/i, label: "Payment URL/intent generation", severity: "high", category: "billing" },
10 { pattern: /api\/v1\/billing|\/billing\/charge/i, label: "Billing API endpoint", severity: "high", category: "billing" },
11 { pattern: /\.charge\s*\(/i, label: "Charge function call", severity: "high", category: "billing" },
12 { pattern: /stripe\.com|stripe\.checkout/i, label: "Stripe payment integration", severity: "medium", category: "billing" },
13 { pattern: /cryptocurrency|usdt|bitcoin|ethereum|web3|0x[a-fA-F0-9]{40}/i, label: "Cryptocurrency/wallet reference", severity: "high", category: "billing" },
14 { pattern: /gumroad|lemonSqueezy|paddle\.com|buymeacoffee/i, label: "Payment platform integration", severity: "medium", category: "billing" },
16 { pattern: /eval\s*\(/, label: "eval() usage", severity: "high", category: "injection" },
17 { pattern: /new\s+Function\s*\(/, label: "Dynamic function constructor", severity: "high", category: "injection" },
LowEval
Package source references a known benign dynamic code generation pattern.
dist/auditors/openclaw/security-scan.jsView on unpkg · L15 18 { pattern: /child_process/, label: "child_process module", severity: "medium", category: "injection" },
19 { pattern: /exec\s*\(\s*['"`]/, label: "Shell command execution with string", severity: "high", category: "injection" },
20 { pattern: /execSync\s*\(/, label: "Synchronous shell execution", severity: "medium", category: "injection" },
21 { pattern: /spawn\s*\(\s*['"`](?!node|npm|npx|python|pip)/, label: "Process spawn (non-standard binary)", severity: "medium", category: "injection" },
22 { pattern: /\.replace\s*\(.*\bFunction\b/, label: "String-to-function conversion", severity: "high", category: "injection" },
23 { pattern: /vm\.runIn(New|This)Context/i, label: "VM context execution", severity: "high", category: "injection" },
24 // Data exfiltration / network
25 { pattern: /fetch\s*\(\s*['"`]https?:\/\/(?!api\.(openai|anthropic|google|x\.ai|deepseek|openrouter))/i, label: "HTTP call to non-standard endpoint", severity: "medium", category: "exfiltration" },
26 { pattern: /XMLHttpRequest/i, label: "XMLHttpRequest usage", severity: "medium", category: "exfiltration" },
27 { pattern: /urllib\.request|requests\.post|requests\.get/i, label: "Python HTTP library", severity: "low", category: "exfiltration" },
28 { pattern: /axios\s*\.\s*(get|post|put|delete)\s*\(/i, label: "Axios HTTP call", severity: "low", category: "exfiltration" },
29 { pattern: /webhook|ngrok|localtunnel|serveo/i, label: "Tunnel/webhook service", severity: "medium", category: "exfiltration" },
30 { pattern: /telemetry|analytics|tracking|mixpanel|segment\.io|posthog/i, label: "Telemetry/analytics", severity: "medium", category: "exfiltration" },
31 { pattern: /navigator\.sendBeacon/i, label: "Beacon API (silent data send)", severity: "high", category: "exfiltration" },
33 { pattern: /atob\s*\(|btoa\s*\(|Buffer\.from\s*\(\s*['"][A-Za-z0-9+/=]{50,}/, label: "Base64 encode/decode (long string)", severity: "medium", category: "obfuscation" },
34 { pattern: /\\x[0-9a-fA-F]{2}(?:\\x[0-9a-fA-F]{2}){10,}/, label: "Hex-encoded string sequence", severity: "high", category: "obfuscation" },
35 { pattern: /\\u[0-9a-fA-F]{4}(?:\\u[0-9a-fA-F]{4}){10,}/, label: "Unicode-encoded string sequence", severity: "high", category: "obfuscation" },