registry  /  @kahitsan/plugin-sdk  /  0.7.2

@kahitsan/plugin-sdk@0.7.2

THE single public author surface for Hilinga plugins: createPlugin, auth guards, the workspace-scoped data surface (makeDataSurface) + migrations + withTenantContext, cross-plugin RPC, and the wire-protocol verify surface. One npm package, no -composite/-

Static Scan Results

scanned 3h ago · by rust-scanner

Static analysis flagged 17 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
Manifest
NoLicense
scanned 28 file(s), 593 KB of source, external domains: 127.0.0.1, bun.sh, github.com, www.w3.org

Source & flagged code

7 flagged · loading source
bin/cli.mjsView file
11// so the launcher re-execs under Bun; install it from https://bun.sh. L12: import { spawn } from "node:child_process"; L13: import { fileURLToPath } from "node:url";
High
Child Process

Package source references child process execution.

bin/cli.mjsView on unpkg · L11
dist/index.jsView file
1/*! [redacted]... L2: const _0x123b3d=_0x5d91;(function(_0x2e056f,_0x4e80b2){const _0x4d3d84=_0x5d91,_0x41799a=_0x2e056f();while(!![]){try{const _0x4c0bcb=-parseInt(_0x4d3d84(0x36f))/(-0x2*-0x71d+0x9*0x...
High
Obfuscated Payload Loader

Source contains an obfuscator-style string-array loader that reconstructs and executes hidden code.

dist/index.jsView on unpkg · L1
1/*! [redacted]... L2: const _0x123b3d=_0x5d91;(function(_0x2e056f,_0x4e80b2){const _0x4d3d84=_0x5d91,_0x41799a=_0x2e056f();while(!![]){try{const _0x4c0bcb=-parseInt(_0x4d3d84(0x36f))/(-0x2*-0x71d+0x9*0x...
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/index.jsView on unpkg · L1
src/dev/dev-host.tsView file
135) as Manifest; L136: l.proc = spawn({ L137: cmd: ["bun", "--preload", PRELOAD, join(l.dir, "server", "main.ts")], ... L139: env: { L140: ...process.env, L141: KSERP_DEV_PLUGIN_DIR: l.dir, ... L145: KSERP_PLUGIN_SCHEMAS: (manifest.schemas ?? []).join(","), L146: KSERP_KERNEL_URL: `http://127.0.0.1:${mediatorPort}`, L147: KSERP_INTERNAL_SECRET: DEV_SECRET,
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

src/dev/dev-host.tsView on unpkg · L135
shell/sw.js.gzView file
path = shell/sw.js.gz kind = compressed_blob sizeBytes = 1440 magicHex = [redacted]
Medium
Ships Compressed Blob

Package ships compressed or archive-like blobs.

shell/sw.js.gzView on unpkg
shell/favicon.icoView file
path = shell/favicon.ico kind = high_entropy_blob sizeBytes = 5667 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

shell/favicon.icoView on unpkg
shell/_build/.vite/manifest.json.gzView file
path = shell/_build/.vite/manifest.json.gz kind = payload_in_excluded_dir sizeBytes = 727 magicHex = [redacted]
High
Payload In Excluded Dir

Package hides binary, compressed, or executable-looking payloads in test/fixture/hidden paths.

shell/_build/.vite/manifest.json.gzView on unpkg

Findings

7 High5 Medium5 Low
HighChild Processbin/cli.mjs
HighShell
HighSame File Env Network Executionsrc/dev/dev-host.ts
HighObfuscated Payload Loaderdist/index.js
HighObfuscated
HighShips High Entropy Blobshell/favicon.ico
HighPayload In Excluded Dirshell/_build/.vite/manifest.json.gz
MediumDynamic Requiredist/index.js
MediumNetwork
MediumEnvironment Vars
MediumShips Compressed Blobshell/sw.js.gz
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License