registry  /  @glasstrace/sdk  /  1.29.2

@glasstrace/sdk@1.29.2

Glasstrace server-side debugging SDK for AI coding agents

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 17 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
WildcardDependency
scanned 58 file(s), 7.70 MB of source, external domains: api.glasstrace.dev, glasstrace.dev, glasstrace.invalid, json-schema.org

Source & flagged code

8 flagged · loading source
dist/chunk-WZXVS2EO.jsView file
1// ../../node_modules/@[redacted]-id/execAsync.js L2: import * as child_process from "child_process"; L3: import * as util from "util";
High
Child Process

Package source references child process execution.

dist/chunk-WZXVS2EO.jsView on unpkg · L1
1// ../../node_modules/@[redacted]-id/execAsync.js L2: import * as child_process from "child_process";
High
Shell

Package source references shell execution.

dist/chunk-WZXVS2EO.jsView on unpkg · L1
dist/chunk-EDOBZ2ND.jsView file
3877const isInsecure = protocol === "http:"; L3878: const module = isInsecure ? import("http") : import("https"); L3879: const { Agent } = await module;
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/chunk-EDOBZ2ND.jsView on unpkg · L3877
243patternName = generic_password severity = medium line = 243 matchedText = // `pass...d of
Medium
Secret Pattern

Hardcoded password in dist/chunk-EDOBZ2ND.js

dist/chunk-EDOBZ2ND.jsView on unpkg · L243
dist/cli/init.cjsView file
154assignProp: () => assignProp, L155: base64ToUint8Array: () => base64ToUint8Array, L156: base64urlToUint8Array: () => base64urlToUint8Array, ... L1034: error: new (_Err ?? $ZodError)(result.issues.map((iss) => finalizeIssue(iss, ctx, config()))) L1035: } : { success: true, data: result.value }; L1036: }; ... L2563: try { L2564: new URL(`http://[${payload.value}]`); L2565: } catch { ... L15541: async function readAnonKey(projectRoot) { L15542: const root = projectRoot ?? process.cwd(); L15543: const modules = await loadFsPath();
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/cli/init.cjsView on unpkg · L154
dist/index.cjsView file
40Cross-file remote execution chain: dist/index.cjs spawns dist/middleware/index.cjs; helper contains network access plus dynamic code execution. L40: return { L41: GLASSTRACE_API_KEY: process.env.GLASSTRACE_API_KEY?.trim() || void 0, L42: GLASSTRACE_FORCE_ENABLE: process.env.GLASSTRACE_FORCE_ENABLE, ... L94: "use strict"; L95: DEFAULT_ENDPOINT = "https://api.glasstrace.dev"; L96: } ... L194: assignProp: () => assignProp, L195: base64ToUint8Array: () => base64ToUint8Array, L196: base64urlToUint8Array: () => base64urlToUint8Array, ... L1074: error: new (_Err ?? $ZodError)(result.issues.map((iss) => finalizeIssue(iss, ctx, config()))) L1075: } : { success: true, data: result.value }; L1076: };
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/index.cjsView on unpkg · L40
20179patternName = generic_password severity = medium line = 20179 matchedText = // `pass...d of
Medium
Secret Pattern

Hardcoded password in dist/index.cjs

dist/index.cjsView on unpkg · L20179
dist/node-entry.cjsView file
20149patternName = generic_password severity = medium line = 20149 matchedText = // `pass...d of
Medium
Secret Pattern

Hardcoded password in dist/node-entry.cjs

dist/node-entry.cjsView on unpkg · L20149

Findings

4 High8 Medium5 Low
HighChild Processdist/chunk-WZXVS2EO.js
HighShelldist/chunk-WZXVS2EO.js
HighSandbox Evasion Gated Capabilitydist/cli/init.cjs
HighCross File Remote Execution Contextdist/index.cjs
MediumDynamic Requiredist/chunk-EDOBZ2ND.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
MediumWildcard Dependency
MediumSecret Patterndist/chunk-EDOBZ2ND.js
MediumSecret Patterndist/node-entry.cjs
MediumSecret Patterndist/index.cjs
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings