registry  /  @juspay/neurolink  /  9.80.2

@juspay/neurolink@9.80.2

Universal AI Development Platform with working MCP integration, multi-provider support, voice (TTS/STT/realtime), and professional CLI. 58+ external MCP servers discoverable, multimodal file processing, RAG pipelines. Build, test, and deploy AI applicatio

Static Scan Results

scanned 5d ago · by rust-scanner

Static analysis flagged 23 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedProtestwareTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 1,517 file(s), 17.4 MB of source, external domains: 127.0.0.1, accounts.google.com, aiplatform.googleapis.com, aistudio.google.com, api-inference.huggingface.co, api.anthropic.com, api.arize.com, api.braintrust.dev, api.cartesia.ai, api.clerk.com, api.cloudflare.com, api.cohere.com, api.d-id.com, api.datadoghq.com, api.deepgram.com, api.deepseek.com, api.dev.runwayml.com, api.elevenlabs.io, api.fireworks.ai, api.fish.audio, api.groq.com, api.heygen.com, api.ideogram.ai, api.jina.ai, api.laminar.run, api.mistral.ai, api.openai.com, api.openrouter.ai, api.perplexity.ai, api.piapi.ai, api.replicate.com, api.smith.langchain.com, api.stability.ai, api.together.xyz, api.voyageai.com, api.workos.com, api.x.ai, app.posthog.com, auth0.com, aws.amazon.com, bedrock-runtime.us-east-1.amazonaws.com, better-auth.com, build.nvidia.com, cdn.jsdelivr.net, claude.ai, clerk.com, clerk.dev, cloud.google.com, cloud.langfuse.com, console.anthropic.com
Oversized source lightweight scan
dist/browser/neurolink.min.js4.73 MB file, sampled 256 KB
EnvironmentVarsEvalHighEntropyStringsMinifiedProtestware

Source & flagged code

13 flagged · loading source
dist/utils/providerConfig.jsView file
715patternName = private_key_rsa severity = critical line = 715 matchedText = "GOOGLE_.....",
Critical
Critical Secret

Package contains a critical-looking secret pattern.

dist/utils/providerConfig.jsView on unpkg · L715
715patternName = private_key_rsa severity = critical line = 715 matchedText = "GOOGLE_.....",
Critical
Secret Pattern

RSA private key in dist/utils/providerConfig.js

dist/utils/providerConfig.jsView on unpkg · L715
dist/utils/schemaConversion.jsView file
461// Use Function constructor instead of eval for better scope control L462: const createZodSchema = new Function("z", `return ${schemaExpression}`); L463: const zodSchema = createZodSchema(z);
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/utils/schemaConversion.jsView on unpkg · L461
dist/auth/sessionManager.jsView file
120const moduleName = "redis"; L121: const redisModule = (await import( L122: /* @vite-ignore */ moduleName));
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/auth/sessionManager.jsView on unpkg · L120
dist/cli/factories/commandFactory.jsView file
686// URLs are preserved as-is by resolveFilePaths L687: // File paths will be converted to base64 by the message builder L688: return resolveFilePaths(imagePaths); ... L731: const lower = filePath.toLowerCase(); L732: return (lower.startsWith("http://") || L733: lower.startsWith("https://") || L734: lower.startsWith("file://") || L735: lower.startsWith("data:")); L736: } ... L769: if (argv.noColor) { L770: process.env.FORCE_COLOR = "0"; L771: }
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/cli/factories/commandFactory.jsView on unpkg · L686
dist/cli/factories/ollamaCommandFactory.jsView file
1import { spawnSync, } from "child_process"; L2: import chalk from "chalk"; ... L64: if (res.error || res.status !== 0) { L65: throw res.error || new Error(res.stderr); L66: } ... L79: logger.error(chalk.red("Error:", errorMessage)); L80: logger.always(chalk.blue("\nTip: Install Ollama from https://ollama.ai")); L81: process.exit(1); ... L160: try { L161: modelsData = JSON.parse(curlRes.stdout); L162: break; // Success, exit retry loop ... L214: try {
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/cli/factories/ollamaCommandFactory.jsView on unpkg · L1
scripts/observability/manage-local-openobserve.shView file
path = scripts/observability/manage-local-openobserve.sh kind = build_helper sizeBytes = 7309 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

scripts/observability/manage-local-openobserve.shView on unpkg
dist/browser/neurolink.min.jsView file
path = dist/browser/neurolink.min.js kind = oversized_source_file sizeBytes = 4958715 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/browser/neurolink.min.jsView on unpkg
dist/processors/errors/errorSerializer.jsView file
471patternName = generic_password severity = medium line = 471 matchedText = * // Res...ed }
Medium
Secret Pattern

Hardcoded password in dist/processors/errors/errorSerializer.js

dist/processors/errors/errorSerializer.jsView on unpkg · L471
dist/processors/errors/errorSerializer.d.tsView file
75patternName = generic_password severity = medium line = 75 matchedText = * // Res...ed }
Medium
Secret Pattern

Hardcoded password in dist/processors/errors/errorSerializer.d.ts

dist/processors/errors/errorSerializer.d.tsView on unpkg · L75
dist/lib/utils/providerConfig.jsView file
715patternName = private_key_rsa severity = critical line = 715 matchedText = "GOOGLE_.....",
Critical
Secret Pattern

RSA private key in dist/lib/utils/providerConfig.js

dist/lib/utils/providerConfig.jsView on unpkg · L715
dist/lib/processors/errors/errorSerializer.jsView file
471patternName = generic_password severity = medium line = 471 matchedText = * // Res...ed }
Medium
Secret Pattern

Hardcoded password in dist/lib/processors/errors/errorSerializer.js

dist/lib/processors/errors/errorSerializer.jsView on unpkg · L471
dist/lib/processors/errors/errorSerializer.d.tsView file
75patternName = generic_password severity = medium line = 75 matchedText = * // Res...ed }
Medium
Secret Pattern

Hardcoded password in dist/lib/processors/errors/errorSerializer.d.ts

dist/lib/processors/errors/errorSerializer.d.tsView on unpkg · L75

Findings

3 Critical2 High11 Medium7 Low
CriticalCritical Secretdist/utils/providerConfig.js
CriticalSecret Patterndist/utils/providerConfig.js
CriticalSecret Patterndist/lib/utils/providerConfig.js
HighSandbox Evasion Gated Capabilitydist/cli/factories/ollamaCommandFactory.js
HighOversized Source Filedist/browser/neurolink.min.js
MediumDynamic Requiredist/auth/sessionManager.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/cli/factories/commandFactory.js
MediumProtestware
MediumShips Build Helperscripts/observability/manage-local-openobserve.sh
MediumStructural Risk Force Deep Review
MediumSecret Patterndist/processors/errors/errorSerializer.js
MediumSecret Patterndist/processors/errors/errorSerializer.d.ts
MediumSecret Patterndist/lib/processors/errors/errorSerializer.js
MediumSecret Patterndist/lib/processors/errors/errorSerializer.d.ts
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvaldist/utils/schemaConversion.js
LowFilesystem
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings