registry  /  @hachej/boring-agent  /  0.1.84

@hachej/boring-agent@0.1.84

⚠ Under review

Pane-embeddable coding agent. Ships direct/local/vercel-sandbox execution modes behind one interface.

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 11 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 18 file(s), 1.10 MB of source, external domains: api.infomaniak.com, astral.sh, github.com

Source & flagged code

5 flagged · loading source
dist/chunk-5IRFVKV7.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @hachej/boring-agent@0.1.63 matchedIdentity = npm:QGhhY2hlai9ib3JpbmctYWdlbnQ:0.1.63 similarity = 0.444 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/chunk-5IRFVKV7.jsView on unpkg
54// [redacted].ts L55: import { spawn } from "child_process"; L56:
High
Child Process

Package source references child process execution.

dist/chunk-5IRFVKV7.jsView on unpkg · L54
195env: withWorkspacePythonEnv({ workspaceRoot, env: opts2?.env, preserveHostHome: true }), L196: shell: true, L197: windowsHide: true,
High
Shell

Package source references shell execution.

dist/chunk-5IRFVKV7.jsView on unpkg · L195
54Cross-file remote execution chain: dist/chunk-5IRFVKV7.js spawns dist/chunk-5NAN3TAR.js; helper contains network access plus dynamic code execution. L54: // [redacted].ts L55: import { spawn } from "child_process"; L56: ... L106: PIP_CACHE_DIR: join(adapterCacheRoot, "pip"), L107: npm[redacted]: join(adapterCacheRoot, "npm") L108: }; ... L155: if (!pid) return; L156: if (process.platform !== "win32") { L157: try { ... L169: let workspace = null; L170: let runtimeContext = opts.runtimeContext ?? { runtimeCwd: process.cwd() }; L171: return {
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/chunk-5IRFVKV7.jsView on unpkg · L54
3648remote, L3649: `node -e ${shellQuote3(`const fs=require('fs'); const path=require('path'); const root=fs.realpathSync(process.argv[1]); const target=fs.realpathSync(process.argv[2]); const rel=pa... L3650: );
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/chunk-5IRFVKV7.jsView on unpkg · L3648

Findings

1 Critical3 High3 Medium4 Low
CriticalPrevious Version Dangerous Deltadist/chunk-5IRFVKV7.js
HighChild Processdist/chunk-5IRFVKV7.js
HighShelldist/chunk-5IRFVKV7.js
HighCross File Remote Execution Contextdist/chunk-5IRFVKV7.js
MediumDynamic Requiredist/chunk-5IRFVKV7.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings