registry  /  @infinitestudios/hands-body-and-feet  /  2.3.2

@infinitestudios/hands-body-and-feet@2.3.2

Give AI agents real-world capabilities via MCP — email, phone, wallet, payments, virtual cards, and more

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 14 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 14 file(s), 330 KB of source, external domains: api.agentmail.to, api.earthclassmail.com, api.paywithmoon.com, api.postscanmail.com, api.web3.storage, github.com, mainnet.base.org, ntfy.sh, opentrust.sh, polygon-rpc.com, sandbox.api.paywithmoon.com

Source & flagged code

6 flagged · loading source
dist/chunk-EBBSFNXS.jsView file
1403// src/control-panel/open-browser.ts L1404: import { spawn } from "child_process"; L1405: import { readFileSync as readFileSync2 } from "fs";
High
Child Process

Package source references child process execution.

dist/chunk-EBBSFNXS.jsView on unpkg · L1403
1419if (process.platform === "win32" || isWsl()) { L1420: command = "cmd.exe"; L1421: args = ["/c", "start", "", url];
High
Shell

Package source references shell execution.

dist/chunk-EBBSFNXS.jsView on unpkg · L1419
127const available = []; L128: const ipfsApiUrl = env["IPFS_API_URL"] ?? "http://localhost:5001"; L129: if (hasKey(env, "IPFS_API_URL") || ipfsApiUrl === "http://localhost:5001") { ... L173: } L174: function getCapabilityStatuses(env = process.env) { L175: return { ... L199: const pathVal = env[envPathKey] ?? ""; L200: const separator = process.platform === "win32" ? ";" : ":"; L201: const dirs = pathVal.split(separator); ... L635: try { L636: return JSON.parse(value); L637: } catch {
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/chunk-EBBSFNXS.jsView on unpkg · L127
dist/chunk-YBGPBPM7.jsView file
3190steps, L3191: message: "No Hermes install found. Install Hermes first (https://github.com/NousResearch/hermes-agent), then re-run hermes_setup." L3192: }; ... L3202: try { L3203: const r = spawnSync(install.python, ["-c", PATCH_PY, install.agentDir], { L3204: encoding: "utf8", L3205: env: { ...process.env, PYTHONPATH: install.agentDir } L3206: });
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/chunk-YBGPBPM7.jsView on unpkg · L3190
1243async function ngrokCreate(port, label) { L1244: const ngrok = await import("@ngrok/ngrok"); L1245: const listener = await ngrok.forward({ addr: port });
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/chunk-YBGPBPM7.jsView on unpkg · L1243
54const signingInput = `${headerB64}.${payloadB64}`; L55: const expectedSig = createHmac("sha256", secret).update(signingInput).digest("base64url"); L56: if (expectedSig !== signatureB64) { ... L62: async function validatePassport(token, registryUrl) { L63: const jwtSecret = process.env["OPENTRUST_JWT_SECRET"]; L64: if (jwtSecret) { ... L68: try { L69: response = await fetch(`${registryUrl}/api/v1/passports/validate`, { L70: method: "POST", ... L152: }, L153: body: params.message L154: });
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/chunk-YBGPBPM7.jsView on unpkg · L54

Findings

4 High4 Medium6 Low
HighChild Processdist/chunk-EBBSFNXS.js
HighShelldist/chunk-EBBSFNXS.js
HighSame File Env Network Executiondist/chunk-YBGPBPM7.js
HighSandbox Evasion Gated Capabilitydist/chunk-EBBSFNXS.js
MediumDynamic Requiredist/chunk-YBGPBPM7.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowWeak Cryptodist/chunk-YBGPBPM7.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings