registry  /  @fased/fased  /  0.1.15

@fased/fased@0.1.15

Fased Agent self-hosted AI gateway with channels, tools, plugins, and operator modules

AI Security Review

scanned 5h ago · by lpm-firewall-ai

The package has an npm prepare lifecycle hook that silently rewrites the active git worktree hooksPath to git-hooks. In a normal install inside a git-tracked project, this can mutate the consumer repository's Git hook configuration without user consent.

Static reason
High-risk behavior combination matched malicious policy.; previous stored version diff introduced dangerous source
Trigger
npm install or other npm operation that runs prepare in a git worktree
Impact
Consumer project Git hooks can be redirected or disabled, creating a persistence/control-surface change outside the package runtime.
Mechanism
unconsented lifecycle git config mutation
Attack narrative
On lifecycle execution, package.json runs a prepare command that checks for git and an enclosing worktree, then writes core.hooksPath=git-hooks via git config. Because npm scripts execute from the package directory inside the consumer project, git can resolve the consumer worktree and mutate its .git/config without an explicit user command.
Rationale
The confirmed lifecycle behavior is an unconsented mutation of a VCS control surface in the installing project, which is blockable install-hook abuse even though other scanner claims about remote eval/exfiltration were not confirmed by source inspection. Package-aligned AI gateway and messaging features do not justify this prepare-time repository configuration change.
Evidence
package.jsonfased.mjsscripts/fased-launcher-runtime.mjsdist/entry.jsdist/agent-scope-CJnlJJmZ.jsdist/plugin-sdk/runtime-m6qXwTxP.jsdist/send-D4mEqkCy.jsconsumer .git/configgit-hooks

Decision evidence

public snapshot
AI called this Malicious at 88.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • package.json prepare runs during npm lifecycle and executes git config core.hooksPath git-hooks when cwd is inside any git worktree
  • npm lifecycle cwd under node_modules can still resolve the consumer repo worktree, mutating that repo's .git/config without opt-in
  • prepare hook is not a build step and is unrelated to declared bin fased.mjs runtime
  • dist/agent-scope-CJnlJJmZ.js contains first-party agent workspace/bootstrap writers, confirming agent-control capabilities exist in package runtime
Evidence against
  • fased.mjs only reexecs supported Node and imports dist/entry.js
  • scanner remote decode/eval hint was not confirmed: searched runtime/index/entry bundles found no new Function/eval/http import pattern
  • dist/send-D4mEqkCy.js Discord network calls are package-aligned messaging features using discord.com API
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNativeBindingsNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 1,513 file(s), 36.4 MB of source, external domains: 127.0.0.1, 192.168.1.100, 192.168.1.5, accounts.google.com, agent.example.com, ai-gateway.vercel.sh, aistudio.google.com, albumart.url, api.anthropic.com, api.botframework.com, api.chutes.ai, api.devnet.solana.com, api.elevenlabs.io, api.example.com, api.firecrawl.dev, api.github.com, api.individual.githubcopilot.com, api.jup.ag, api.kimi.com, api.mainnet-beta.solana.com, api.minimax.io, api.minimaxi.com, api.mistral.ai, api.moonshot.ai, api.moonshot.cn, api.openai.com, api.perplexity.ai, api.plivo.com, api.push.apple.com, api.sandbox.push.apple.com, api.synthetic.new, api.telegram.org, api.telnyx.com, api.together.xyz, api.twilio.com, api.venice.ai, api.voyageai.com, api.x.ai, api.xiaomimimo.com, api.z.ai, ark.ap-southeast.bytepluses.com, ark.cn-beijing.volces.com, arweave.net, auth.x.ai, autopush-cloudcode-pa.sandbox.googleapis.com, bot-api.zaloplatforms.com, bot.zaloplatforms.com, brave.com, brew.sh, bun.sh
Oversized source lightweight scan
dist/auth-BQDQDRj_.js4.38 MB file, sampled 256 KB
FilesystemNetworkChildProcessEnvironmentVarsCryptoShellWebSocketUrlStringsapi.telegram.orgdocs.fased.ai
dist/model-catalog-DDWJ1Qtp.js4.48 MB file, sampled 256 KB
FilesystemNetworkChildProcessEnvironmentVarsCryptoShellWebSocketHighEntropyStringsUrlStringsapi.elevenlabs.ioapi.openai.comapi.telegram.org
dist/pi-embedded-BNDg2YlI.js4.38 MB file, sampled 256 KB
FilesystemNetworkChildProcessEnvironmentVarsCryptoShellWebSocketHighEntropyStringsUrlStringsapi.anthropic.comapi.elevenlabs.ioapi.openai.comchatgpt.comdocs.fased.aigithub.comopenrouter.ai
dist/pi-embedded-DWKZg9Eu.js4.38 MB file, sampled 256 KB
FilesystemNetworkChildProcessEnvironmentVarsCryptoShellWebSocketHighEntropyStringsUrlStringsapi.anthropic.comapi.elevenlabs.ioapi.openai.comchatgpt.comdocs.fased.aigithub.comopenrouter.ai
dist/plugin-sdk/reply-BeRFIDlW.js4.39 MB file, sampled 256 KB
FilesystemNetworkChildProcessEnvironmentVarsCryptoShellWebSocketHighEntropyStringsUrlStringsdocs.fased.aiexample.com
dist/plugin-sdk/status-BfKHIedy.js4.38 MB file, sampled 256 KB
FilesystemNetworkChildProcessEnvironmentVarsCryptoShellWebSocketHighEntropyStringsUrlStrings127.0.0.1arweave.netipfs.iolite-api.jup.ag
dist/reply-DpGW2M4Q.js4.48 MB file, sampled 256 KB
FilesystemNetworkChildProcessEnvironmentVarsCryptoShellWebSocketHighEntropyStringsUrlStrings127.0.0.1api.devnet.solana.comapi.mainnet-beta.solana.comapi.minimax.ioexample.com

Source & flagged code

42 flagged · loading source
dist/gateway-cli-BdCm_i_j.jsView file
152import crypto, { createHash, randomBytes, randomUUID } from "node:crypto"; L153: import { spawn, spawnSync } from "node:child_process"; L154: import http, { createServer } from "node:http";
High
Child Process

Package source references child process execution.

dist/gateway-cli-BdCm_i_j.jsView on unpkg · L152
35import "./federation-BrNm7xtG.js"; L36: import { $ as validateDevicePairListParams, $n as requestDevicePairing, $t as [redacted], A as validateCommandsListParams, An as validateUpdateRunParam... L37: import "./chunk-D8FqIY_f.js";
High
Shell

Package source references shell execution.

dist/gateway-cli-BdCm_i_j.jsView on unpkg · L35
3214if (isDisabledByEnv$1()) return { stop: async () => {} }; L3215: const { getResponder, Protocol } = await import("@homebridge/ciao"); L3216: const responder = getResponder();
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/gateway-cli-BdCm_i_j.jsView on unpkg · L3214
2import { A as isPlainObject, F as logVerbose, G as getLogger, H as isRich, K as getResolvedLoggerSettings, L as setVerbose, S as resolveUserPath, T as shortenHomePath, U as theme, ... L3: import { $ as listAgentsForGateway, $a as isPidAlive, $f as createInternalHookEvent, $l as runCommandWithTimeout, A as resolveDefaultAgentWorkspaceDir, Af as CHANNEL_IDS, An as rea... L4: import { C as normalizeReasoningLevel, S as normalizeElevatedLevel, T as normalizeVerboseLevel, m as resolveNativeCommandName, o as listChatCommandsForConfig, w as normalizeUsageDi... ... L31: import "./runtime-bsvPuEXH.js"; L32: import { a as publicKeyRawBase64UrlFromPem, i as [redacted], n as deriveDeviceIdFromPublicKey, r as loadOrCreateDeviceIdentity, s as verifyDeviceSignature } ... L33: import "./solana-bond-signing-CgswTuFe.js"; ... L35: import "./federation-BrNm7xtG.js"; L36: import { $ as validateDevicePairListParams, $n as requestDevicePairing, $t as [redacted], A as validateCommandsListParams, An as validateUpdateRunParam... L37: import "./chunk-D8FqIY_f.js"; ... L153: import { spawn, spawnSync } from "node:child_process"; L154: import http, { cre
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/gateway-cli-BdCm_i_j.jsView on unpkg · L2
dist/pw-ai-COfk-FbM.jsView file
1226const locator = refLocator(page, opts.ref); L1227: const elementEvaluator = new Function("el", "args", ` L1228: "use strict";
High
Eval

Package source references dynamic code evaluation.

dist/pw-ai-COfk-FbM.jsView on unpkg · L1226
extensions/voice-call/src/webhook-security.tsView file
76* L77: * @see https://www.twilio.[redacted]-security L78: */ ... L82: url: string, L83: params: URLSearchParams, L84: ): boolean { ... L90: L91: // HMAC-SHA1 with auth token, then base64 encode L92: const expectedSignature = crypto
Low
Weak Crypto

Package source references weak cryptographic algorithms.

extensions/voice-call/src/webhook-security.tsView on unpkg · L76
dist/onboarding.wallet-DQJIoDsv.jsView file
3227}); L3228: function resolveSignerdBinaryPath(env = process.env) { L3229: const explicit = String(env.FASED_WALLET_LOCAL_SIGNER_BIN ?? "").trim(); ... L3238: const BROKER_CLI_RELPATHS = ["./index.js", "../../dist/index.js"]; L3239: const DEFAULT_SIGNER_RELEASE_DOWNLOAD_BASE = "https://github.com/fased-ai/fased/releases/download"; L3240: const SIGNER_ISOLATION_HELPER = "/usr/local/sbin/fased-signer-isolation"; L3241: function runCommand(params) { L3242: const child = spawnSync(params.command, params.args, { L3243: env: params.env,
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/onboarding.wallet-DQJIoDsv.jsView on unpkg · L3227
dist/send-D4mEqkCy.jsView file
14import crypto from "node:crypto"; L15: import { execFile } from "node:child_process"; L16: import { Button, ChannelSelectMenu, CheckboxGroup, Container, Embed, File, Label, LinkButton, MediaGallery, MentionableSelectMenu, Modal, RadioGroup, RequestClient, RoleSelectMenu,... ... L129: //#region src/discord/api.ts L130: const DISCORD_API_BASE = "https://discord.com/api/v10"; L131: const DISCORD_API_RETRY_DEFAULTS = { ... L140: try { L141: const payload = JSON.parse(trimmed); L142: if (payload && typeof payload === "object") return payload; ... L542: for (const guild of guilds) { L543: const paramsObj = new URLSearchParams({ L544: query,
Critical
Command Output Exfiltration

Source executes local commands and sends command output to an external endpoint.

dist/send-D4mEqkCy.jsView on unpkg · L14
dist/daemon-cli.jsView file
38import fs$1 from "node:fs/promises"; L39: import { execFile, spawn } from "node:child_process"; L40: import { fileURLToPath } from "node:url"; ... L88: for (const basename of MANAGED_SCRIPT_BASENAMES) { L89: const cwdCandidate = path.resolve(process.cwd(), "scripts", basename); L90: seen.add(cwdCandidate); ... L195: const { execFileSync } = await import("node:child_process"); L196: const cmd = process.platform === "win32" ? "where" : "which"; L197: try { ... L202: } catch { L203: if (binary === "bun") throw new Error("Bun not found in PATH. Install bun: https://bun.sh"); L204: throw new Error("Node not found in PATH. Install Node 22+.");
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/daemon-cli.jsView on unpkg · L38
dist/plugin-sdk/runtime-m6qXwTxP.jsView file
12import fs$1 from "node:fs/promises"; L13: import { execFile, execFileSync, spawn } from "node:child_process"; L14: import { fileURLToPath } from "node:url"; ... L22: import { getOAuthApiKey, getOAuthProviders } from "@mariozechner/pi-ai"; L23: import { createServer } from "node:http"; L24: import AjvPkg from "ajv"; ... L141: docsLabel: "signal", L142: blurb: "signal-cli linked-device channel for private Signal messaging.", L143: systemImage: "antenna.radiowaves.left.and.right" ... L328: consolePatched: false, L329: forceConsoleToStderr: false, L330: consoleTimestampPrefix: false,
Critical
Remote Asset Decode Execute

Source fetches a remote non-code asset, decodes its contents, and dynamically executes the decoded payload.

dist/plugin-sdk/runtime-m6qXwTxP.jsView on unpkg · L12
Trigger-reachable chain: manifest.exports -> dist/plugin-sdk/index.js -> dist/plugin-sdk/runtime-m6qXwTxP.js Reachable file contains a blocking source-risk pattern.
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/plugin-sdk/runtime-m6qXwTxP.jsView on unpkg
scripts/start-managed.shView file
path = scripts/start-managed.sh kind = build_helper sizeBytes = 56771 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

scripts/start-managed.shView on unpkg
dist/pi-embedded-DWKZg9Eu.jsView file
path = dist/pi-embedded-DWKZg9Eu.js kind = oversized_source_file sizeBytes = 4594561 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/pi-embedded-DWKZg9Eu.jsView on unpkg
dist/agent-scope-CJnlJJmZ.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @fased/fased@0.1.14 matchedIdentity = npm:QGZhc2VkL2Zhc2Vk:0.1.14 similarity = 0.592 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/agent-scope-CJnlJJmZ.jsView on unpkg
docs/zh-CN/gateway/tailscale.mdView file
80patternName = generic_password severity = medium line = 80 matchedText = auth: { ..." },
Medium
Secret Pattern

Hardcoded password in docs/zh-CN/gateway/tailscale.md

docs/zh-CN/gateway/tailscale.mdView on unpkg · L80
docs/zh-CN/gateway/configuration.mdView file
3027patternName = generic_password severity = medium line = 3027 matchedText = password...rd",
Medium
Secret Pattern

Hardcoded password in docs/zh-CN/gateway/configuration.md

docs/zh-CN/gateway/configuration.mdView on unpkg · L3027
docs/zh-CN/channels/bluebubbles.mdView file
43patternName = generic_password severity = medium line = 43 matchedText = password...rd",
Medium
Secret Pattern

Hardcoded password in docs/zh-CN/channels/bluebubbles.md

docs/zh-CN/channels/bluebubbles.mdView on unpkg · L43
docs/gateway/tailscale.mdView file
128patternName = generic_password severity = medium line = 128 matchedText = auth: { ..." },
Medium
Secret Pattern

Hardcoded password in docs/gateway/tailscale.md

docs/gateway/tailscale.mdView on unpkg · L128
docs/gateway/configuration-reference.mdView file
629patternName = generic_password severity = medium line = 629 matchedText = password...D}",
Medium
Secret Pattern

Hardcoded password in docs/gateway/configuration-reference.md

docs/gateway/configuration-reference.mdView on unpkg · L629
2371patternName = generic_password severity = medium line = 2371 matchedText = // passw...WORD
Medium
Secret Pattern

Hardcoded password in docs/gateway/configuration-reference.md

docs/gateway/configuration-reference.mdView on unpkg · L2371
2398patternName = generic_password severity = medium line = 2398 matchedText = // passw...rd",
Medium
Secret Pattern

Hardcoded password in docs/gateway/configuration-reference.md

docs/gateway/configuration-reference.mdView on unpkg · L2398
docs/channels/bluebubbles.mdView file
51patternName = generic_password severity = medium line = 51 matchedText = password...rd",
Medium
Secret Pattern

Hardcoded password in docs/channels/bluebubbles.md

docs/channels/bluebubbles.mdView on unpkg · L51
extensions/irc/src/client.test.tsView file
39patternName = generic_password severity = medium line = 39 matchedText = password...ad",
Medium
Secret Pattern

Hardcoded password in extensions/irc/src/client.test.ts

extensions/irc/src/client.test.tsView on unpkg · L39
extensions/bluebubbles/src/attachments.test.tsView file
90patternName = generic_password severity = medium line = 90 matchedText = password...rd",
Medium
Secret Pattern

Hardcoded password in extensions/bluebubbles/src/attachments.test.ts

extensions/bluebubbles/src/attachments.test.tsView on unpkg · L90
100patternName = generic_password severity = medium line = 100 matchedText = password...rd",
Medium
Secret Pattern

Hardcoded password in extensions/bluebubbles/src/attachments.test.ts

extensions/bluebubbles/src/attachments.test.tsView on unpkg · L100
132patternName = generic_password severity = medium line = 132 matchedText = password...rd",
Medium
Secret Pattern

Hardcoded password in extensions/bluebubbles/src/attachments.test.ts

extensions/bluebubbles/src/attachments.test.tsView on unpkg · L132
154patternName = generic_password severity = medium line = 154 matchedText = password...rd",
Medium
Secret Pattern

Hardcoded password in extensions/bluebubbles/src/attachments.test.ts

extensions/bluebubbles/src/attachments.test.tsView on unpkg · L154
260patternName = generic_password severity = medium line = 260 matchedText = password...rd",
Medium
Secret Pattern

Hardcoded password in extensions/bluebubbles/src/attachments.test.ts

extensions/bluebubbles/src/attachments.test.tsView on unpkg · L260
extensions/bluebubbles/src/send.test.tsView file
733patternName = generic_password severity = medium line = 733 matchedText = password...ss",
Medium
Secret Pattern

Hardcoded password in extensions/bluebubbles/src/send.test.ts

extensions/bluebubbles/src/send.test.tsView on unpkg · L733
extensions/bluebubbles/src/monitor.test.tsView file
303patternName = generic_password severity = medium line = 303 matchedText = password...rd",
Medium
Secret Pattern

Hardcoded password in extensions/bluebubbles/src/monitor.test.ts

extensions/bluebubbles/src/monitor.test.tsView on unpkg · L303
563patternName = generic_password severity = medium line = 563 matchedText = const ac... });
Medium
Secret Pattern

Hardcoded password in extensions/bluebubbles/src/monitor.test.ts

extensions/bluebubbles/src/monitor.test.tsView on unpkg · L563
599patternName = generic_password severity = medium line = 599 matchedText = const ac... });
Medium
Secret Pattern

Hardcoded password in extensions/bluebubbles/src/monitor.test.ts

extensions/bluebubbles/src/monitor.test.tsView on unpkg · L599
639patternName = generic_password severity = medium line = 639 matchedText = const ac... });
Medium
Secret Pattern

Hardcoded password in extensions/bluebubbles/src/monitor.test.ts

extensions/bluebubbles/src/monitor.test.tsView on unpkg · L639
674patternName = generic_password severity = medium line = 674 matchedText = const ac... });
Medium
Secret Pattern

Hardcoded password in extensions/bluebubbles/src/monitor.test.ts

extensions/bluebubbles/src/monitor.test.tsView on unpkg · L674
675patternName = generic_password severity = medium line = 675 matchedText = const ac... });
Medium
Secret Pattern

Hardcoded password in extensions/bluebubbles/src/monitor.test.ts

extensions/bluebubbles/src/monitor.test.tsView on unpkg · L675
728patternName = generic_password severity = medium line = 728 matchedText = const ac... });
Medium
Secret Pattern

Hardcoded password in extensions/bluebubbles/src/monitor.test.ts

extensions/bluebubbles/src/monitor.test.tsView on unpkg · L728
782patternName = generic_password severity = medium line = 782 matchedText = const ac... });
Medium
Secret Pattern

Hardcoded password in extensions/bluebubbles/src/monitor.test.ts

extensions/bluebubbles/src/monitor.test.tsView on unpkg · L782
3088patternName = generic_password severity = medium line = 3088 matchedText = ...creat... }),
Medium
Secret Pattern

Hardcoded password in extensions/bluebubbles/src/monitor.test.ts

extensions/bluebubbles/src/monitor.test.tsView on unpkg · L3088
3092patternName = generic_password severity = medium line = 3092 matchedText = ...creat... }),
Medium
Secret Pattern

Hardcoded password in extensions/bluebubbles/src/monitor.test.ts

extensions/bluebubbles/src/monitor.test.tsView on unpkg · L3092
extensions/bluebubbles/src/actions.test.tsView file
54patternName = generic_password severity = medium line = 54 matchedText = password...rd",
Medium
Secret Pattern

Hardcoded password in extensions/bluebubbles/src/actions.test.ts

extensions/bluebubbles/src/actions.test.tsView on unpkg · L54
95patternName = generic_password severity = medium line = 95 matchedText = password...rd",
Medium
Secret Pattern

Hardcoded password in extensions/bluebubbles/src/actions.test.ts

extensions/bluebubbles/src/actions.test.tsView on unpkg · L95
109patternName = generic_password severity = medium line = 109 matchedText = password...rd",
Medium
Secret Pattern

Hardcoded password in extensions/bluebubbles/src/actions.test.ts

extensions/bluebubbles/src/actions.test.tsView on unpkg · L109

Findings

4 Critical6 High34 Medium6 Low
CriticalCommand Output Exfiltrationdist/send-D4mEqkCy.js
CriticalRemote Asset Decode Executedist/plugin-sdk/runtime-m6qXwTxP.js
CriticalTrigger Reachable Dangerous Capabilitydist/plugin-sdk/runtime-m6qXwTxP.js
CriticalPrevious Version Dangerous Deltadist/agent-scope-CJnlJJmZ.js
HighChild Processdist/gateway-cli-BdCm_i_j.js
HighShelldist/gateway-cli-BdCm_i_j.js
HighEvaldist/pw-ai-COfk-FbM.js
HighSame File Env Network Executiondist/onboarding.wallet-DQJIoDsv.js
HighSandbox Evasion Gated Capabilitydist/daemon-cli.js
HighOversized Source Filedist/pi-embedded-DWKZg9Eu.js
MediumDynamic Requiredist/gateway-cli-BdCm_i_j.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/gateway-cli-BdCm_i_j.js
MediumShips Build Helperscripts/start-managed.sh
MediumStructural Risk Force Deep Review
MediumSecret Patterndocs/zh-CN/gateway/tailscale.md
MediumSecret Patterndocs/zh-CN/gateway/configuration.md
MediumSecret Patterndocs/zh-CN/channels/bluebubbles.md
MediumSecret Patterndocs/gateway/tailscale.md
MediumSecret Patterndocs/gateway/configuration-reference.md
MediumSecret Patterndocs/gateway/configuration-reference.md
MediumSecret Patterndocs/gateway/configuration-reference.md
MediumSecret Patterndocs/channels/bluebubbles.md
MediumSecret Patternextensions/irc/src/client.test.ts
MediumSecret Patternextensions/bluebubbles/src/attachments.test.ts
MediumSecret Patternextensions/bluebubbles/src/attachments.test.ts
MediumSecret Patternextensions/bluebubbles/src/attachments.test.ts
MediumSecret Patternextensions/bluebubbles/src/attachments.test.ts
MediumSecret Patternextensions/bluebubbles/src/attachments.test.ts
MediumSecret Patternextensions/bluebubbles/src/send.test.ts
MediumSecret Patternextensions/bluebubbles/src/monitor.test.ts
MediumSecret Patternextensions/bluebubbles/src/monitor.test.ts
MediumSecret Patternextensions/bluebubbles/src/monitor.test.ts
MediumSecret Patternextensions/bluebubbles/src/monitor.test.ts
MediumSecret Patternextensions/bluebubbles/src/monitor.test.ts
MediumSecret Patternextensions/bluebubbles/src/monitor.test.ts
MediumSecret Patternextensions/bluebubbles/src/monitor.test.ts
MediumSecret Patternextensions/bluebubbles/src/monitor.test.ts
MediumSecret Patternextensions/bluebubbles/src/monitor.test.ts
MediumSecret Patternextensions/bluebubbles/src/monitor.test.ts
MediumSecret Patternextensions/bluebubbles/src/actions.test.ts
MediumSecret Patternextensions/bluebubbles/src/actions.test.ts
MediumSecret Patternextensions/bluebubbles/src/actions.test.ts
LowNon Install Lifecycle Scripts
LowScripts Present
LowWeak Cryptoextensions/voice-call/src/webhook-security.ts
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings