registry  /  @fny/joy-tmux  /  1.8.0

@fny/joy-tmux@1.8.0

joy-tmux daemon + CLI — run Claude Code sessions in tmux, bridged to the joy/Happy relay.

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 14 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 41 file(s), 568 KB of source, external domains: 0.0.0.0, 127.0.0.1, api.cluster-fluster.com, claude.com, example.com, exp.host, github.com, www.apple.com

Source & flagged code

6 flagged · loading source
src/cli.tsView file
10import { homedir, platform as osPlatform } from "os"; L11: import { spawn, spawnSync } from "child_process"; L12: import { moduleDir } from "./esm";
High
Child Process

Package source references child process execution.

src/cli.tsView on unpkg · L10
10import { homedir, platform as osPlatform } from "os"; L11: import { spawn, spawnSync } from "child_process"; L12: import { moduleDir } from "./esm"; ... L14: L15: const PORT = parseInt(process.env.PORT ?? "4997"); L16: const BASE = `http://127.0.0.1:${PORT}`; L17: const HAPPY_HOME = happyHomeDir();
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

src/cli.tsView on unpkg · L10
10import { homedir, platform as osPlatform } from "os"; L11: import { spawn, spawnSync } from "child_process"; L12: import { moduleDir } from "./esm"; ... L22: // store (…/.pnpm/@fny+joy-tmux@1.0.15_…/node_modules/@fny/joy-tmux). Baking THAT into a L23: // launchd/systemd service breaks on the next `pnpm add -g`: pnpm makes a fresh store dir L24: // for the new version and deletes the old one, so the service's server.ts path vanishes
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

src/cli.tsView on unpkg · L10
10import { homedir, platform as osPlatform } from "os"; L11: import { spawn, spawnSync } from "child_process"; L12: import { moduleDir } from "./esm"; ... L14: L15: const PORT = parseInt(process.env.PORT ?? "4997"); L16: const BASE = `http://127.0.0.1:${PORT}`; L17: const HAPPY_HOME = happyHomeDir(); L18: const STATE_DIR = joyStateDir(); ... L47: function readState(): DaemonState | null { L48: try { return JSON.parse(readFileSync(STATE_FILE, "utf8")) as DaemonState; } catch { return null; } L49: } ... L61: headers: authHeaders(),
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

src/cli.tsView on unpkg · L10
src/domain/operations.tsView file
48// like `--import tsx` + the script path) so the replacement runs the same way. L49: const argv = [process.execPath, ...process.execArgv, ...process.argv.slice(1)]; L50: const cmd = argv.map(a => `'${a.replace(/'/g, "'\\''")}'`).join(" ");
High
Shell

Package source references shell execution.

src/domain/operations.tsView on unpkg · L48
bin/joy.mjsView file
15L16: await import(new URL('../src/cli.ts', import.meta.url).href);
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/joy.mjsView on unpkg · L15

Findings

4 High5 Medium5 Low
HighChild Processsrc/cli.ts
HighShellsrc/domain/operations.ts
HighSame File Env Network Executionsrc/cli.ts
HighRuntime Package Installsrc/cli.ts
MediumDynamic Requirebin/joy.mjs
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencesrc/cli.ts
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License