registry  /  @h-rig/notifications-plugin  /  0.0.6-alpha.238

@h-rig/notifications-plugin@0.0.6-alpha.238

First-party notification policy/channels capability plugin for Rig.

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 3 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
EnvironmentVars
Supply chainNo supply-chain packaging signals triggered.
Manifest
NoLicense
scanned 3 file(s), 26.6 KB of source

Source & flagged code

1 flagged · loading source
dist/src/index.jsView file
29}); L30: import { lookup as dnsLookup } from "dns/promises"; L31: import { isIP } from "net"; ... L61: if (a === 10 || a === 172 && b >= 16 && b <= 31 || a === 192 && b === 168) { L62: return "RFC1918/private addresses are not allowed"; L63: } ... L74: } L75: function resolveNotifyAllowHttpLocalhost(raw = process.env[NOTIFY_LOCALHOST_HTTP_OPT_IN_ENV]) { L76: return typeof raw === "string" && TRUE_LIKE[raw.trim().toLowerCase()] === true; ... L139: try { L140: const parsed = await Bun.file(path).json(); L141: return {
High
Cloud Metadata Access

Source reaches cloud instance metadata or link-local credential endpoints.

dist/src/index.jsView on unpkg · L29

Findings

1 High1 Medium1 Low
HighCloud Metadata Accessdist/src/index.js
MediumEnvironment Vars
LowNo License