registry  /  @hachej/boring-agent  /  0.1.81

@hachej/boring-agent@0.1.81

⚠ Under review

Pane-embeddable coding agent. Ships direct/local/vercel-sandbox execution modes behind one interface.

Static Scan Results

scanned 22h ago · by rust-scanner

Static analysis flagged 11 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 18 file(s), 1.09 MB of source, external domains: api.infomaniak.com, astral.sh, github.com

Source & flagged code

5 flagged · loading source
dist/chunk-I7JNWIYM.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @hachej/boring-agent@0.1.63 matchedIdentity = npm:QGhhY2hlai9ib3JpbmctYWdlbnQ:0.1.63 similarity = 0.444 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/chunk-I7JNWIYM.jsView on unpkg
51// [redacted].ts L52: import { spawn } from "child_process"; L53:
High
Child Process

Package source references child process execution.

dist/chunk-I7JNWIYM.jsView on unpkg · L51
192env: withWorkspacePythonEnv({ workspaceRoot, env: opts2?.env, preserveHostHome: true }), L193: shell: true, L194: windowsHide: true,
High
Shell

Package source references shell execution.

dist/chunk-I7JNWIYM.jsView on unpkg · L192
51Cross-file remote execution chain: dist/chunk-I7JNWIYM.js spawns dist/chunk-24VL7G32.js; helper contains network access plus dynamic code execution. L51: // [redacted].ts L52: import { spawn } from "child_process"; L53: ... L103: PIP_CACHE_DIR: join(adapterCacheRoot, "pip"), L104: npm[redacted]: join(adapterCacheRoot, "npm") L105: }; ... L152: if (!pid) return; L153: if (process.platform !== "win32") { L154: try { ... L166: let workspace = null; L167: let runtimeContext = opts.runtimeContext ?? { runtimeCwd: process.cwd() }; L168: return {
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/chunk-I7JNWIYM.jsView on unpkg · L51
3620remote, L3621: `node -e ${shellQuote3(`const fs=require('fs'); const path=require('path'); const root=fs.realpathSync(process.argv[1]); const target=fs.realpathSync(process.argv[2]); const rel=pa... L3622: );
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/chunk-I7JNWIYM.jsView on unpkg · L3620

Findings

1 Critical3 High3 Medium4 Low
CriticalPrevious Version Dangerous Deltadist/chunk-I7JNWIYM.js
HighChild Processdist/chunk-I7JNWIYM.js
HighShelldist/chunk-I7JNWIYM.js
HighCross File Remote Execution Contextdist/chunk-I7JNWIYM.js
MediumDynamic Requiredist/chunk-I7JNWIYM.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings