registry  /  @generativereality/cctabs  /  0.4.7

@generativereality/cctabs@0.4.7

Claude Code tab manager. Terminal tabs as the UI, no tmux.

Static Scan Results

scanned 1d ago · by rust-scanner

Static analysis flagged 12 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 133 KB of source, external domains: cctabs.com, github.com, registry.npmjs.org, waveterm.dev

Source & flagged code

4 flagged · loading source
dist/index.jsView file
3import { cli, define } from "gunshi"; L4: import { execFileSync, spawn, spawnSync } from "child_process"; L5: import { createConnection } from "net";
High
Child Process

Package source references child process execution.

dist/index.jsView on unpkg · L3
129function tabbyPluginResponds() { L130: const r = spawnSync("curl", [ L131: "-fsS", ... L133: "2", L134: `http://${process.env.CCTABS_TABBY_HOST ?? "127.0.0.1"}:${Number(process.env.CCTABS_TABBY_PORT ?? "3300")}/api/health` L135: ], { encoding: "utf-8" });
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/index.jsView on unpkg · L129
3191detail: `${host}:${port} unreachable (${health.error ?? "unknown"})`, L3192: hint: "Run `cctabs install-tabby-plugin` from inside a Tabby tab — it npm-installs the plugin and reopens Tabby. Or do it by hand: `npm install --legacy-peer-deps --prefix \"$HOME/... L3193: }; ... L3205: function checkSpawnedShellPath() { L3206: const r = spawnSync("zsh", [ L3207: "-l",
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/index.jsView on unpkg · L3191
3import { cli, define } from "gunshi"; L4: import { execFileSync, spawn, spawnSync } from "child_process"; L5: import { createConnection } from "net"; L6: import { randomUUID } from "crypto"; ... L11: import * as p from "@clack/prompts"; L12: //#region package.json L13: var name = "@generativereality/cctabs"; ... L34: "check": "npm run typecheck && npm run test && npm run build", L35: "release": "bumpp && npm publish", L36: "sync-plugin": "bash scripts/sync-plugin.sh", ... L78: function detectTerminal() { L79: const override = (process.env.CCTABS_TERMINAL ?? process.env.CCTABS_BACKEND ?? "").trim().toLowerCase();
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/index.jsView on unpkg · L3

Findings

4 High4 Medium4 Low
HighChild Processdist/index.js
HighShell
HighSame File Env Network Executiondist/index.js
HighRuntime Package Installdist/index.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/index.js
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings