registry  /  @herald-ai/herald  /  0.1.44

@herald-ai/herald@0.1.44

⚠ Under review

AI DevOps agent for developers working from the terminal

Static Scan Results

scanned 1h ago · by rust-scanner

Static analysis flagged 13 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNativeBindingsNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 217 file(s), 1.32 MB of source, external domains: 127.0.0.1, api.eu.newrelic.com, api.githubcopilot.com, api.herald.dev, api.motherduck.com, api.newrelic.com, api.supabase.com, app.herald.dev, astral.sh, clouderrorreporting.googleapis.com, console.cloud.google.com, docs.astral.sh, gateway.runllm.com, grafana.example.com, herald.dev, mcp.eu.newrelic.com, mcp.honeycomb.io, mcp.newrelic.com, mcp.render.com, monitoring.googleapis.com, my-deployment.kb.us-central1.gcp.elastic.cloud, nodejs.org, one.eu.newrelic.com, one.newrelic.com, portal.azure.com, registry.npmjs.org, splunk.example.com, supabase.com, www.googleapis.com

Source & flagged code

5 flagged · loading source
dist/screens/Investigation.jsView file
2import { useCallback, useEffect, useMemo, useRef, useState } from "react"; L3: import { spawn } from "node:child_process"; L4: import { Box, Static, Text, useApp, useInput } from "ink";
High
Child Process

Package source references child process execution.

dist/screens/Investigation.jsView on unpkg · L2
295const startMs = Date.now(); L296: const proc = spawn(cmd, { shell: true }); L297: shellProcRef.current = proc;
High
Shell

Package source references shell execution.

dist/screens/Investigation.jsView on unpkg · L295
bin/herald.jsView file
5const __dirname = dirname(fileURLToPath(import.meta.url)); L6: await import(resolve(__dirname, '../dist/main.js'));
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/herald.jsView on unpkg · L5
dist/main.jsView file
325if (wasUpgradeRequested()) { L326: const { spawnSync } = await import("node:child_process"); L327: process.stdout.write("\nRunning: npm install -g @herald-ai/herald\n\n"); L328: const result = spawnSync("npm", ["install", "-g", "@herald-ai/herald"], { stdio: "inherit" });
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/main.jsView on unpkg · L325
dist/lib/experiment/claude-subprocess.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @herald-ai/herald@0.1.41 matchedIdentity = npm:QGhlcmFsZC1haS9oZXJhbGQ:0.1.41 similarity = 0.867 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/lib/experiment/claude-subprocess.jsView on unpkg

Findings

1 Critical3 High4 Medium5 Low
CriticalPrevious Version Dangerous Deltadist/lib/experiment/claude-subprocess.js
HighChild Processdist/screens/Investigation.js
HighShelldist/screens/Investigation.js
HighRuntime Package Installdist/main.js
MediumDynamic Requirebin/herald.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings