registry  /  @dsiloed/silo-link  /  1.14.0

@dsiloed/silo-link@1.14.0

Claude Code Remote Bridge — connects Claude Code sessions to DSiloed via MCP + ActionCable

Static Scan Results

scanned 6h ago · by rust-scanner

Static analysis flagged 10 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 29 file(s), 425 KB of source, external domains: registry.npmjs.org, www.dsiloed.com

Source & flagged code

2 flagged · loading source
dist/core/base-tmux-launcher.jsView file
1import { spawn, execFileSync } from 'node:child_process'; L2: import { createHash } from 'node:crypto'; ... L263: let out = ''; L264: ls.stdout.on('data', (d) => { out += d.toString(); }); L265: ls.on('exit', () => { ... L762: env: { L763: ...process.env, L764: ...this.getAgentEnv(),
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/core/base-tmux-launcher.jsView on unpkg · L1
dist/core/auto-updater.jsView file
1import { execFile, execFileSync, spawn } from 'node:child_process'; L2: import { promisify } from 'node:util'; ... L185: registryUrl() { L186: const def = 'https://registry.npmjs.org'; L187: const configured = this.config.npm[redacted]; ... L217: return null; L218: const json = (await res.json()); L219: return json.dist?.integrity ?? null; ... L270: // malicious. Bin-linking still happens (it's core npm, not a script). L271: const { stdout } = await execFileAsync('npm', ['install', '-g', spec, '--ignore-scripts', '--no-fund', '--no-audit'], { timeout: 300_000, maxBuffer: 16 * 1024 * 1024 }); L272: const tail = stdout.trim().split('\n').slice(-1)[0] ?? ''; ... L303: scheduleRestart() {
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/core/auto-updater.jsView on unpkg · L1

Findings

1 High3 Medium6 Low
HighSandbox Evasion Gated Capabilitydist/core/auto-updater.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowWeak Cryptodist/core/base-tmux-launcher.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings