registry  /  @hachej/boring-agent  /  0.1.75

@hachej/boring-agent@0.1.75

⚠ Under review

Pane-embeddable coding agent. Ships direct/local/vercel-sandbox execution modes behind one interface.

Static Scan Results

scanned 3d ago · by rust-scanner

Static analysis flagged 11 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 17 file(s), 1.00 MB of source, external domains: api.infomaniak.com, astral.sh, github.com

Source & flagged code

5 flagged · loading source
dist/server/index.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @hachej/boring-agent@0.1.63 matchedIdentity = npm:QGhhY2hlai9ib3JpbmctYWdlbnQ:0.1.63 similarity = 0.444 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/server/index.jsView on unpkg
45// [redacted].ts L46: import { spawn } from "child_process"; L47:
High
Child Process

Package source references child process execution.

dist/server/index.jsView on unpkg · L45
186env: withWorkspacePythonEnv({ workspaceRoot, env: opts2?.env, preserveHostHome: true }), L187: shell: true, L188: windowsHide: true,
High
Shell

Package source references shell execution.

dist/server/index.jsView on unpkg · L186
45Cross-file remote execution chain: dist/server/index.js spawns dist/chunk-FDGWCMJD.js; helper contains network access plus dynamic code execution. L45: // [redacted].ts L46: import { spawn } from "child_process"; L47: ... L97: PIP_CACHE_DIR: join(adapterCacheRoot, "pip"), L98: npm[redacted]: join(adapterCacheRoot, "npm") L99: }; ... L146: if (!pid) return; L147: if (process.platform !== "win32") { L148: try { ... L160: let workspace = null; L161: let runtimeContext = opts.runtimeContext ?? { runtimeCwd: process.cwd() }; L162: return {
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/server/index.jsView on unpkg · L45
3614remote, L3615: `node -e ${shellQuote3(`const fs=require('fs'); const path=require('path'); const root=fs.realpathSync(process.argv[1]); const target=fs.realpathSync(process.argv[2]); const rel=pa... L3616: );
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/server/index.jsView on unpkg · L3614

Findings

1 Critical3 High3 Medium4 Low
CriticalPrevious Version Dangerous Deltadist/server/index.js
HighChild Processdist/server/index.js
HighShelldist/server/index.js
HighCross File Remote Execution Contextdist/server/index.js
MediumDynamic Requiredist/server/index.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings