registry  /  @glasstrace/sdk  /  1.28.0

@glasstrace/sdk@1.28.0

⚠ Under review

Glasstrace server-side debugging SDK for AI coding agents

Static Scan Results

scanned 23h ago · by rust-scanner

Static analysis flagged 18 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
WildcardDependency
scanned 55 file(s), 7.65 MB of source, external domains: api.glasstrace.dev, glasstrace.dev, glasstrace.invalid, json-schema.org

Source & flagged code

9 flagged · loading source
dist/chunk-WZXVS2EO.jsView file
1// ../../node_modules/@[redacted]-id/execAsync.js L2: import * as child_process from "child_process"; L3: import * as util from "util";
High
Child Process

Package source references child process execution.

dist/chunk-WZXVS2EO.jsView on unpkg · L1
1// ../../node_modules/@[redacted]-id/execAsync.js L2: import * as child_process from "child_process";
High
Shell

Package source references shell execution.

dist/chunk-WZXVS2EO.jsView on unpkg · L1
dist/chunk-XLIDQG67.jsView file
3770const isInsecure = protocol === "http:"; L3771: const module = isInsecure ? import("http") : import("https"); L3772: const { Agent } = await module;
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/chunk-XLIDQG67.jsView on unpkg · L3770
238patternName = generic_password severity = medium line = 238 matchedText = // `pass...d of
Medium
Secret Pattern

Hardcoded password in dist/chunk-XLIDQG67.js

dist/chunk-XLIDQG67.jsView on unpkg · L238
dist/cli/init.cjsView file
154assignProp: () => assignProp, L155: base64ToUint8Array: () => base64ToUint8Array, L156: base64urlToUint8Array: () => base64urlToUint8Array, ... L1034: error: new (_Err ?? $ZodError)(result.issues.map((iss) => finalizeIssue(iss, ctx, config()))) L1035: } : { success: true, data: result.value }; L1036: }; ... L2563: try { L2564: new URL(`http://[${payload.value}]`); L2565: } catch { ... L15541: async function readAnonKey(projectRoot) { L15542: const root = projectRoot ?? process.cwd(); L15543: const modules = await loadFsPath();
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/cli/init.cjsView on unpkg · L154
dist/index.cjsView file
40Cross-file remote execution chain: dist/index.cjs spawns dist/middleware/index.cjs; helper contains network access plus dynamic code execution. L40: return { L41: GLASSTRACE_API_KEY: process.env.GLASSTRACE_API_KEY?.trim() || void 0, L42: GLASSTRACE_FORCE_ENABLE: process.env.GLASSTRACE_FORCE_ENABLE, ... L94: "use strict"; L95: DEFAULT_ENDPOINT = "https://api.glasstrace.dev"; L96: } ... L194: assignProp: () => assignProp, L195: base64ToUint8Array: () => base64ToUint8Array, L196: base64urlToUint8Array: () => base64urlToUint8Array, ... L1074: error: new (_Err ?? $ZodError)(result.issues.map((iss) => finalizeIssue(iss, ctx, config()))) L1075: } : { success: true, data: result.value }; L1076: };
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/index.cjsView on unpkg · L40
20179patternName = generic_password severity = medium line = 20179 matchedText = // `pass...d of
Medium
Secret Pattern

Hardcoded password in dist/index.cjs

dist/index.cjsView on unpkg · L20179
dist/cli/upgrade-instructions.cjsView file
matchType = previous_version_dangerous_delta matchedPackage = @glasstrace/sdk@1.26.0 matchedIdentity = npm:QGdsYXNzdHJhY2Uvc2Rr:1.26.0 similarity = 0.964 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/cli/upgrade-instructions.cjsView on unpkg
dist/node-entry.cjsView file
20149patternName = generic_password severity = medium line = 20149 matchedText = // `pass...d of
Medium
Secret Pattern

Hardcoded password in dist/node-entry.cjs

dist/node-entry.cjsView on unpkg · L20149

Findings

1 Critical4 High8 Medium5 Low
CriticalPrevious Version Dangerous Deltadist/cli/upgrade-instructions.cjs
HighChild Processdist/chunk-WZXVS2EO.js
HighShelldist/chunk-WZXVS2EO.js
HighSandbox Evasion Gated Capabilitydist/cli/init.cjs
HighCross File Remote Execution Contextdist/index.cjs
MediumDynamic Requiredist/chunk-XLIDQG67.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
MediumWildcard Dependency
MediumSecret Patterndist/chunk-XLIDQG67.js
MediumSecret Patterndist/node-entry.cjs
MediumSecret Patterndist/index.cjs
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings