registry  /  @hasna/loops  /  0.4.10

@hasna/loops@0.4.10

Persistent local loop and workflow runner for deterministic commands and headless AI coding agents

Static Scan Results

scanned 9h ago · by rust-scanner

Static analysis flagged 11 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
WildcardDependency
scanned 14 file(s), 2.67 MB of source, external domains: github.com, registry.npmjs.org, www.apple.com

Source & flagged code

2 flagged · loading source
dist/cli/index.jsView file
58import { join } from "path"; L59: function homeDir() { L60: const home = process.env.HOME?.trim(); L61: return home ? home : homedir(); ... L88: import { readFileSync } from "fs"; L89: import { spawnSync } from "child_process"; L90: var START_TIME_TOLERANCE_MS = 5000; ... L96: const run = spawnSync("getconf", ["CLK_TCK"], { encoding: "utf8" }); L97: const value = Number(run.stdout.trim()); L98: clockTicksCache = run.status === 0 && Number.isFinite(value) && value > 0 ? value : 100; ... L131: return; L132: if (process.platform === "linux") {
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/cli/index.jsView on unpkg · L58
58import { join } from "path"; L59: function homeDir() { L60: const home = process.env.HOME?.trim(); L61: return home ? home : homedir(); ... L88: import { readFileSync } from "fs"; L89: import { spawnSync } from "child_process"; L90: var START_TIME_TOLERANCE_MS = 5000; ... L96: const run = spawnSync("getconf", ["CLK_TCK"], { encoding: "utf8" }); L97: const value = Number(run.stdout.trim()); L98: clockTicksCache = run.status === 0 && Number.isFinite(value) && value > 0 ? value : 100; ... L131: return; L132: if (process.platform === "linux") {
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/cli/index.jsView on unpkg · L58

Findings

1 High5 Medium5 Low
HighSandbox Evasion Gated Capabilitydist/cli/index.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/cli/index.js
MediumStructural Risk Force Deep Review
MediumWildcard Dependency
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings