registry  /  @happyskillsai/instant-canvas  /  0.5.3

@happyskillsai/instant-canvas@0.5.3

⚠ Under review

Local canvas runtime for coding agents: renders canvas JSON (markdown, KPIs, tables, 26 chart kinds incl. 3D and ML plots, forms) via a per-workspace localhost kernel and collects input/secrets straight to local files.

Static Scan Results

scanned 3h ago · by rust-scanner

Static analysis flagged 16 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedObfuscatedTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 29 file(s), 1.86 MB of source, external domains: 127.0.0.1, example.com, feross.org, getify.mit-license.org, github.com, syntheti.cc, www.w3.org, xxxx.supabase.co
Oversized source lightweight scan
scripts/web/vendor/plotly.min.js2.64 MB file, sampled 256 KB
ChildProcessHighEntropyStringsMinifiedUrlStringsfeross.orggetify.mit-license.orggithub.comsyntheti.ccwww.w3.org

Source & flagged code

6 flagged · loading source
scripts/instantcanvas.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @happyskillsai/instant-canvas@0.3.1 matchedIdentity = npm:[redacted]:0.3.1 similarity = 0.619 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

scripts/instantcanvas.jsView on unpkg
16const http = require('node:http') L17: const { spawn } = require('node:child_process') L18:
High
Child Process

Package source references child process execution.

scripts/instantcanvas.jsView on unpkg · L16
3L4: // InstantCanvas CLI. stdout carries EXACTLY ONE JSON document per run; L5: // every log/progress line goes to stderr (through lib/redact). ... L9: if (major < 20) { L10: process.stderr.write(`InstantCanvas requires Node >= 20 (found ${process.versions.node}).\n`) L11: process.exit(2) ... L15: const path = require('node:path') L16: const http = require('node:http') L17: const { spawn } = require('node:child_process') L18:
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

scripts/instantcanvas.jsView on unpkg · L3
scripts/web/vendor/highlight.min.jsView file
3164;hljs.registerLanguage("pony",e)})(); L3165: /*! `powershell` grammar compiled for Highlight.js 11.11.1 */ L3166: (()=>{var e=(()=>{"use strict";return e=>{const n={$pattern:/-?[A-z\.\-]+\b/,
High
Shell

Package source references shell execution.

scripts/web/vendor/highlight.min.jsView on unpkg · L3164
scripts/kernel.jsView file
6L7: const http = require('node:http') L8: const fs = require('node:fs') ... L11: const crypto = require('node:crypto') L12: const { spawn } = require('node:child_process') L13: ... L29: L30: const WEB_DIR = path.join(__dirname, 'web') L31: const VERSION = PKG_VERSION ... L49: if (!rootArg || !fs.existsSync(rootArg) || !fs.statSync(rootArg).isDirectory()) { L50: process.stderr.write('kernel: workspace root missing or not a directory: ' + String(rootArg) + '\n') L51: process.exit(2)
Low
Weak Crypto

Package source references weak cryptographic algorithms.

scripts/kernel.jsView on unpkg · L6
scripts/web/vendor/plotly.min.jsView file
path = scripts/web/vendor/plotly.min.js kind = oversized_source_file sizeBytes = 2765319 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

scripts/web/vendor/plotly.min.jsView on unpkg

Findings

1 Critical4 High3 Medium8 Low
CriticalPrevious Version Dangerous Deltascripts/instantcanvas.js
HighChild Processscripts/instantcanvas.js
HighShellscripts/web/vendor/highlight.min.js
HighCommand Output Exfiltrationscripts/instantcanvas.js
HighOversized Source Filescripts/web/vendor/plotly.min.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowWeak Cryptoscripts/kernel.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings