registry  /  @iicp/client  /  0.7.92

@iicp/client@0.7.92

⚠ Under review

Use the open IICP AI mesh from TypeScript or JavaScript without running a node

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 13 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 54 file(s), 594 KB of source, external domains: 127.0.0.1, api.anthropic.com, api.ipify.org, api6.ipify.org, cloudflare-dns.com, iicp.network, pkg.cloudflare.com, registry.npmjs.org, schemas.xmlsoap.org

Source & flagged code

5 flagged · loading source
dist/tunnel.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @iicp/client@0.7.88 matchedIdentity = npm:QGlpY3AvY2xpZW50:0.7.88 similarity = 0.860 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/tunnel.jsView on unpkg
22exports.openQuickTunnel = openQuickTunnel; L23: const node_child_process_1 = require("node:child_process"); L24: const fs = require("node:fs");
High
Child Process

Package source references child process execution.

dist/tunnel.jsView on unpkg · L22
dist/node.jsView file
804// eslint-disable-next-line @typescript-eslint/no-explicit-any L805: this._prom = await eval('import("prom-client")'); L806: this._tasksCounter = new this._prom.Counter({
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/node.jsView on unpkg · L804
dist/client.jsView file
7exports.IicpClient = void 0; L8: const node_crypto_1 = require("node:crypto"); L9: const confidentiality_js_1 = require("./confidentiality.js");
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/client.jsView on unpkg · L7
dist/cli.jsView file
415try { L416: (0, node_child_process_1.execSync)(`npm install --no-save ${extras.join(" ")}`, { stdio: "inherit" }); L417: process.stdout.write(" ✓ done\n");
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/cli.jsView on unpkg · L415

Findings

1 Critical3 High4 Medium5 Low
CriticalPrevious Version Dangerous Deltadist/tunnel.js
HighChild Processdist/tunnel.js
HighShell
HighRuntime Package Installdist/cli.js
MediumDynamic Requiredist/client.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowEvaldist/node.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings