registry  /  @hasna/loops  /  0.4.3

@hasna/loops@0.4.3

Persistent local loop and workflow runner for deterministic commands and headless AI coding agents

Static Scan Results

scanned 2d ago · by rust-scanner

Static analysis flagged 12 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
WildcardDependency
scanned 14 file(s), 2.54 MB of source, external domains: github.com, registry.npmjs.org, www.apple.com

Source & flagged code

3 flagged · loading source
dist/cli/index.jsView file
59function dataDir() { L60: return process.env.LOOPS_DATA_DIR || join(homedir(), ".hasna", "loops"); L61: } ... L84: import { readFileSync } from "fs"; L85: import { spawnSync } from "child_process"; L86: var START_TIME_TOLERANCE_MS = 5000; ... L92: const run = spawnSync("getconf", ["CLK_TCK"], { encoding: "utf8" }); L93: const value = Number(run.stdout.trim()); L94: clockTicksCache = run.status === 0 && Number.isFinite(value) && value > 0 ? value : 100; ... L127: return; L128: if (process.platform === "linux") { L129: const fields = procStatFields(`/proc/${pid}/stat`);
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/cli/index.jsView on unpkg · L59
matchType = previous_version_dangerous_delta matchedPackage = @hasna/loops@0.4.5 matchedIdentity = npm:QGhhc25hL2xvb3Bz:0.4.5 similarity = 0.385 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/cli/index.jsView on unpkg
59function dataDir() { L60: return process.env.LOOPS_DATA_DIR || join(homedir(), ".hasna", "loops"); L61: } ... L84: import { readFileSync } from "fs"; L85: import { spawnSync } from "child_process"; L86: var START_TIME_TOLERANCE_MS = 5000; ... L92: const run = spawnSync("getconf", ["CLK_TCK"], { encoding: "utf8" }); L93: const value = Number(run.stdout.trim()); L94: clockTicksCache = run.status === 0 && Number.isFinite(value) && value > 0 ? value : 100; ... L127: return; L128: if (process.platform === "linux") { L129: const fields = procStatFields(`/proc/${pid}/stat`);
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/cli/index.jsView on unpkg · L59

Findings

2 High5 Medium5 Low
HighSandbox Evasion Gated Capabilitydist/cli/index.js
HighPrevious Version Dangerous Deltadist/cli/index.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/cli/index.js
MediumStructural Risk Force Deep Review
MediumWildcard Dependency
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings