registry  /  @kenkaiiii/ggcoder  /  5.8.3

@kenkaiiii/ggcoder@5.8.3

CLI coding agent with OAuth authentication for Anthropic, OpenAI, and Gemini

Static Scan Results

scanned 6d ago · by rust-scanner

Static analysis flagged 12 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 409 file(s), 2.75 MB of source, external domains: 0.0.0.0, 127.0.0.1, 192.168.1.5, a.example, ads.linkedin.com, api.example, api.telegram.org, api.xiaomimimo.com, api.z.ai, app.com, awin1.com, b.example, chatgpt.com, coupon.example.com, developer.mozilla.org, docs.a.com, docs.b.com, docs.example.com, docs.python.org, duckduckgo.com, example-ad.com, example.com, github.com, global.example, googleadservices.com, html.duckduckgo.com, ice1.somafm.com, lite.duckduckgo.com, mcp.asana.com, mcp.canva.com, mcp.notion.com, mediaworks.streamguys1.com, mpv.io, platform.example.com, project.example, reactbits.dev, search.brave.com, skills.sh, stream.radioparadise.com, t.me, token-plan-sgp.xiaomimimo.com, uiverse.io, www.bing.com, www.google.com, www.typescriptlang.org, x.example

Source & flagged code

4 flagged · loading source
dist/tools/html-extract.jsView file
30const [linkedom, readability, turndown, gfmMod] = (await Promise.all([ L31: import(linkedomName), L32: import(readabilityName),
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/tools/html-extract.jsView on unpkg · L30
dist/core/hashline.jsView file
1/** L2: * Hash-anchored line addressing — the pure, UI-free core shared by the hashline
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/core/hashline.jsView on unpkg · L1
dist/core/radio.jsView file
1import { spawn } from "node:child_process"; L2: import { existsSync } from "node:fs"; ... L9: description: "Chilled downtempo, ambient grooves", L10: url: "http://ice1.somafm.com/groovesalad-128-mp3", L11: }, ... L39: function extraPlayerDirs() { L40: switch (process.platform) { L41: case "darwin": ... L67: // 1) PATH (covers terminal launches + any inherited shell environment). L68: const pathDirs = (process.env.PATH ?? "").split(path.delimiter).filter(Boolean); L69: // 2) Well-known dirs a GUI PATH typically omits. ... L78: * Streaming-capable players in priority order. Each gets its quietest flag
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/core/radio.jsView on unpkg · L1
dist/tools/web-fetch.jsView file
4/** L5: * Block requests to private/internal network addresses to prevent SSRF. L6: * Checks the hostname against known private IP ranges and reserved domains. ... L165: for (let hop = 0; hop <= MAX_REDIRECTS; hop++) { L166: const response = await fetch(currentUrl, { L167: headers: FETCH_HEADERS, ... L196: contentLength: contentLengthHeader ? Number(contentLengthHeader) : null, L197: body: response, L198: finalUrl: currentUrl, ... L225: } L226: const buffer = await response.body.arrayBuffer(); L227: if (buffer.byteLength > MAX_PDF_BYTES) {
High
Cloud Metadata Access

Source reaches cloud instance metadata or link-local credential endpoints.

dist/tools/web-fetch.jsView on unpkg · L4

Findings

2 High4 Medium6 Low
HighSandbox Evasion Gated Capabilitydist/core/radio.js
HighCloud Metadata Accessdist/tools/web-fetch.js
MediumDynamic Requiredist/tools/html-extract.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowWeak Cryptodist/core/hashline.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings