registry  /  @hasna/telephony  /  0.2.7

@hasna/telephony@0.2.7

Telephony platform for AI agents — SMS, WhatsApp, voice calls, TTS/STT, real-time streaming

Static Scan Results

scanned 3h ago · by rust-scanner

Static analysis flagged 14 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 75 file(s), 1.20 MB of source, external domains: 127.0.0.1, api.cerebras.ai, api.elevenlabs.io, example.com, github.com, registry.npmjs.org, telephony.hasna.xyz, truststore.pki.rds.amazonaws.com

Source & flagged code

6 flagged · loading source
package.jsonView file
scripts.postinstall = mkdir -p $HOME/.hasna/telephony $HOME/.hasna/telephony/audio 2>/dev/null || true
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = mkdir -p $HOME/.hasna/telephony $HOME/.hasna/telephony/audio 2>/dev/null || true
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
dist/index.jsView file
448} L449: exec(sql) { L450: this.raw.exec(sql);
High
Child Process

Package source references child process execution.

dist/index.jsView on unpkg · L448
21function defaultCloudBaseUrl(name) { L22: return `https://${name}.hasna.xyz`; L23: } ... L57: } L58: function resolveClientTransport(name, env = process.env) { L59: const keys = clientTransportEnvKeys(name); ... L161: return path; L162: const params = query instanceof URLSearchParams ? query : new URLSearchParams; L163: if (!(query instanceof URLSearchParams)) { ... L236: } L237: const text = await response.text(); L238: let parsed = undefined;
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/index.jsView on unpkg · L21
dist/cli/index.jsView file
1189} L1190: const execArgv = process2.execArgv ?? []; L1191: if (execArgv.includes("-e") || execArgv.includes("--eval") || execArgv.includes("-p") || execArgv.includes("--print")) {
High
Shell

Package source references shell execution.

dist/cli/index.jsView on unpkg · L1189
39Cross-file remote execution chain: dist/cli/index.js spawns dist/mcp/index.js; helper contains network access plus dynamic code execution. L39: class CommanderError extends Error { L40: constructor(exitCode, code, message) { L41: super(message); ... L743: var EventEmitter = __require("events").EventEmitter; L744: var childProcess = __require("child_process"); L745: var path = __require("path"); ... L789: this._outputConfiguration = { L790: writeOut: (str) => process2.stdout.write(str), L791: writeErr: (str) => process2.stderr.write(str), ... L2070: L2071: // package.json L2072: var package_default;
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/cli/index.jsView on unpkg · L39

Findings

4 High4 Medium6 Low
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processdist/index.js
HighShelldist/cli/index.js
HighCross File Remote Execution Contextdist/cli/index.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowWeak Cryptodist/index.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings