registry  /  @indigoai-us/hq-cloud  /  6.13.3

@indigoai-us/hq-cloud@6.13.3

HQ by Indigo cloud sync engine — bidirectional S3 sync for mobile access

Static Scan Results

scanned 13d ago · by rust-scanner

Static analysis flagged 19 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 265 file(s), 4.49 MB of source, external domains: api.example.com, cognito-idp.eu-west-1.amazonaws.com, cognito-idp.us-east-1.amazonaws.com, example.com, github.com, hqapi.getindigo.ai, s3.test, signed.example, sqs.local, sqs.us-east-1.amazonaws.com, vault-api.example.com, vault-api.test, vault.test, vault.test.example.com

Source & flagged code

11 flagged · loading source
dist/vault-client.test.jsView file
564patternName = aws_access_key severity = critical line = 564 matchedText = accessKe...LE",
Critical
Critical Secret

Package contains a critical-looking secret pattern.

dist/vault-client.test.jsView on unpkg · L564
564patternName = aws_access_key severity = critical line = 564 matchedText = accessKe...LE",
Critical
Secret Pattern

AWS access key ID in dist/vault-client.test.js

dist/vault-client.test.jsView on unpkg · L564
571patternName = aws_access_key severity = critical line = 571 matchedText = expect(r...E");
Critical
Secret Pattern

AWS access key ID in dist/vault-client.test.js

dist/vault-client.test.jsView on unpkg · L571
582patternName = aws_access_key severity = critical line = 582 matchedText = accessKe...LE",
Critical
Secret Pattern

AWS access key ID in dist/vault-client.test.js

dist/vault-client.test.jsView on unpkg · L582
589patternName = aws_access_key severity = critical line = 589 matchedText = expect(r...E");
Critical
Secret Pattern

AWS access key ID in dist/vault-client.test.js

dist/vault-client.test.jsView on unpkg · L589
dist/cli/share.jsView file
1101// target lives outside the company folder (e.g. companies/{co}/ L1102: // knowledge → repos/private/knowledge-{co}/) — the LINK itself is L1103: // inside the company folder and is exactly what we want to record, ... L1369: function isBulkAsymmetryOverride() { L1370: const v = (process.env.HQ_SYNC_DELETE_BULK_OVERRIDE ?? "").toLowerCase(); L1371: return v === "1" || v === "true" || v === "yes";
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/cli/share.jsView on unpkg · L1101
scripts/vault-rescue.shView file
path = scripts/vault-rescue.sh kind = build_helper sizeBytes = 10887 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

scripts/vault-rescue.shView on unpkg
src/vault-client.test.tsView file
751patternName = aws_access_key severity = critical line = 751 matchedText = accessKe...LE",
Critical
Secret Pattern

AWS access key ID in src/vault-client.test.ts

src/vault-client.test.tsView on unpkg · L751
761patternName = aws_access_key severity = critical line = 761 matchedText = expect(r...E");
Critical
Secret Pattern

AWS access key ID in src/vault-client.test.ts

src/vault-client.test.tsView on unpkg · L761
775patternName = aws_access_key severity = critical line = 775 matchedText = accessKe...LE",
Critical
Secret Pattern

AWS access key ID in src/vault-client.test.ts

src/vault-client.test.tsView on unpkg · L775
785patternName = aws_access_key severity = critical line = 785 matchedText = expect(r...E");
Critical
Secret Pattern

AWS access key ID in src/vault-client.test.ts

src/vault-client.test.tsView on unpkg · L785

Findings

9 Critical4 Medium6 Low
CriticalCritical Secretdist/vault-client.test.js
CriticalSecret Patterndist/vault-client.test.js
CriticalSecret Patterndist/vault-client.test.js
CriticalSecret Patterndist/vault-client.test.js
CriticalSecret Patterndist/vault-client.test.js
CriticalSecret Patternsrc/vault-client.test.ts
CriticalSecret Patternsrc/vault-client.test.ts
CriticalSecret Patternsrc/vault-client.test.ts
CriticalSecret Patternsrc/vault-client.test.ts
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperscripts/vault-rescue.sh
MediumStructural Risk Force Deep Review
LowScripts Present
LowWeak Cryptodist/cli/share.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings