registry  /  @jacobbd/relay-ai  /  0.4.6

@jacobbd/relay-ai@0.4.6

Relay any model into any coding agent — launch Claude Code, Codex, and more with multi-provider gateways

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 14 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNativeBindingsNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 6 file(s), 935 KB of source, external domains: 127.0.0.1, accounts.google.com, aistudio.google.com, antigravity.google, api.anthropic.com, api.cerebras.ai, api.cohere.com, api.deepinfra.com, api.deepseek.com, api.example.com, api.github.com, api.githubcopilot.com, api.groq.com, api.kilo.ai, api.kimi.com, api.mistral.ai, api.moonshot.ai, api.moonshot.cn, api.openai.com, api.perplexity.ai, api.together.xyz, api.venice.ai, api.x.ai, app.kilo.ai, auth.openai.com, auth.x.ai, build.nvidia.com, cdn.simpleicons.org, chatgpt.com, claude.ai, cloud.cerebras.ai, cloudcode-pa.googleapis.com, codeassist.google.com, console.anthropic.com, console.groq.com, console.mistral.ai, console.x.ai, daily-cloudcode-pa.googleapis.com, daily-cloudcode-pa.sandbox.googleapis.com, dashboard.cohere.com, dashscope.aliyuncs.com, dashscope.console.aliyun.com, deepinfra.com, developers.openai.com, generativelanguage.googleapis.com, github.com, integrate.api.nvidia.com, models.dev, my-proxy.example.com, oauth2.googleapis.com
Oversized source lightweight scan
dist/chunk-YM6G7BHE.js2.54 MB file, sampled 256 KB
FilesystemNetworkChildProcessEnvironmentVarsNativeBindingsCryptoShellWebSocketDynamicRequireHighEntropyStringsUrlStrings127.0.0.1accounts.google.comapi.anthropic.comapi.example.comapi.github.comapi.openai.comapi.x.aiauth.openai.comauth.x.aichatgpt.comclaude.aicloudcode-pa.googleapis.comdaily-cloudcode-pa.googleapis.comdaily-cloudcode-pa.sandbox.googleapis.comdevelopers.openai.comgithub.commodels.devoauth2.googleapis.comopencode.aiplatform.claude.comregistry.npmjs.orgrequesty.airouter.requesty.aiwww.googleapis.com

Source & flagged code

6 flagged · loading source
dist/cli.jsView file
288oauthImported: 0, L289: error: "OpenCode CLI not found or failed to start. Install from https://opencode.ai" L290: }; ... L398: import { homedir } from "os"; L399: import { spawnSync } from "child_process"; L400: function detectShellProfile() { L401: const shell = process.env["SHELL"] ?? ""; L402: if (process.platform === "darwin") { L403: if (shell.includes("zsh")) return { display: "~/.zshrc", path: `${homedir()}/.zshrc` }; L404: if (shell.includes("bash")) return { display: "~/.bash_profile", path: `${homedir()}/.bash_profile` }; ... L671: oauthAccountId: lp.oauthAccountId, L672: providerData: lp.providerData,
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/cli.jsView on unpkg · L288
1192} L1193: async function runProvidersImport() { L1194: const registry = loadRegistry();
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/cli.jsView on unpkg · L1192
288oauthImported: 0, L289: error: "OpenCode CLI not found or failed to start. Install from https://opencode.ai" L290: }; ... L398: import { homedir } from "os"; L399: import { spawnSync } from "child_process"; L400: function detectShellProfile() { L401: const shell = process.env["SHELL"] ?? ""; L402: if (process.platform === "darwin") { L403: if (shell.includes("zsh")) return { display: "~/.zshrc", path: `${homedir()}/.zshrc` }; L404: if (shell.includes("bash")) return { display: "~/.bash_profile", path: `${homedir()}/.bash_profile` }; ... L671: oauthAccountId: lp.oauthAccountId, L672: providerData: lp.providerData,
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/cli.jsView on unpkg · L288
288oauthImported: 0, L289: error: "OpenCode CLI not found or failed to start. Install from https://opencode.ai" L290: }; ... L398: import { homedir } from "os"; L399: import { spawnSync } from "child_process"; L400: function detectShellProfile() { L401: const shell = process.env["SHELL"] ?? ""; L402: if (process.platform === "darwin") { L403: if (shell.includes("zsh")) return { display: "~/.zshrc", path: `${homedir()}/.zshrc` }; L404: if (shell.includes("bash")) return { display: "~/.bash_profile", path: `${homedir()}/.bash_profile` }; ... L671: oauthAccountId: lp.oauthAccountId, L672: providerData: lp.providerData,
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/cli.jsView on unpkg · L288
dist/chunk-YM6G7BHE.jsView file
path = dist/chunk-YM6G7BHE.js kind = oversized_source_file sizeBytes = 2665088 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/chunk-YM6G7BHE.jsView on unpkg
path = dist/chunk-YM6G7BHE.js kind = oversized_cli_entrypoint sizeBytes = 2665088 magicHex = [redacted]
Medium
Oversized Cli Entrypoint

Package contains an oversized executable-looking CLI entrypoint.

dist/chunk-YM6G7BHE.jsView on unpkg

Findings

2 High6 Medium6 Low
HighSandbox Evasion Gated Capabilitydist/cli.js
HighOversized Source Filedist/chunk-YM6G7BHE.js
MediumDynamic Requiredist/cli.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/cli.js
MediumOversized Cli Entrypointdist/chunk-YM6G7BHE.js
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowWeak Cryptodist/cli.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings