registry  /  @kairyou/agent-tools  /  0.1.0

@kairyou/agent-tools@0.1.0

Skills and runtime integrations for Codex, Claude Code, and opencode.

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 10 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 6 file(s), 78.2 KB of source, external domains: api.anthropic.com, api.openai.com

Source & flagged code

3 flagged · loading source
statusline/claude/statusline.mjsView file
12L13: import { execFileSync, spawn } from "node:child_process"; L14: import fs from "node:fs";
High
Child Process

Package source references child process execution.

statusline/claude/statusline.mjsView on unpkg · L12
12Cross-file remote execution chain: statusline/claude/statusline.mjs spawns lib/usage.mjs; helper contains network access plus dynamic code execution. L12: L13: import { execFileSync, spawn } from "node:child_process"; L14: import fs from "node:fs"; ... L18: const SCRIPT_DIR = dirname(fileURLToPath(import.meta.url)); L19: const AGENT_TOOLS_HOME = process.env.AGENT_TOOLS_HOME || join(SCRIPT_DIR, "..", ".."); L20: const DEFAULT_CONFIG_FILE = join(AGENT_TOOLS_HOME, "config.jsonc"); ... L56: for await (const chunk of process.stdin) chunks.push(chunk); L57: return Buffer.concat(chunks).toString("utf8"); L58: } ... L213: function renderField(field, data, config) { L214: const dir = data?.workspace?.current_dir || data?.cwd || process.cwd() || ""; L215: const projectDir = data?.workspace?.project_dir || dir;
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

statusline/claude/statusline.mjsView on unpkg · L12
lib/usage.mjsView file
12L13: const CODEX_HOME = process.env.CODEX_HOME || join(homedir(), ".codex"); L14: const AGENT_TOOLS_HOME = process.env.AGENT_TOOLS_HOME || join(homedir(), ".agent-tools"); ... L66: if (message) payload.systemMessage = message; L67: process.stdout.write(`${JSON.stringify(payload)}\n`); L68: } ... L196: async function readJson(path) { L197: return JSON.parse(await readFile(path, "utf8")); L198: } ... L314: return [ L315: "https://api.openai.com", L316: "https://api.openai.com/v1",
Medium
Unsafe Vm Context

Package source executes code through a VM context API.

lib/usage.mjsView on unpkg · L12

Findings

3 High3 Medium4 Low
HighChild Processstatusline/claude/statusline.mjs
HighShell
HighCross File Remote Execution Contextstatusline/claude/statusline.mjs
MediumUnsafe Vm Contextlib/usage.mjs
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings