registry  /  @keystrokehq/keystroke  /  0.1.38

@keystrokehq/keystroke@0.1.38

⚠ Under review

Keystroke authoring facade — re-exports primitives for user projects.

Static Scan Results

scanned 5d ago · by rust-scanner

Static analysis flagged 16 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNativeBindingsNetworkShell
Supply chain
HighEntropyStringsObfuscatedTelemetryUrlStrings
Manifest
NoLicense
scanned 386 file(s), 9.39 MB of source, external domains: ai-gateway.vercel.sh, ai-sdk.dev, angular.io, api.keystroke.ai, api.vercel.com, cscott.net, datatracker.ietf.org, dom.spec.whatwg.org, example.com, github.com, json-schema.org, landley.net, modelcontextprotocol.io, raw.githubusercontent.com, trac.webkit.org, vercel.com, www.ibm.com, www.w3.org, www.whatwg.org

Source & flagged code

6 flagged · loading source
dist/dist-DL3p2pu7.mjsView file
17378} L17379: async exec(t, s) { L17380: if (this.state.callDepth === 0 && (this.state.commandCount = 0), this.state.commandCount++, this.state.commandCount > this.limits.maxCommandCount) return {
High
Child Process

Package source references child process execution.

dist/dist-DL3p2pu7.mjsView on unpkg · L17378
dist/dist-CB_SkwlE.mjsView file
matchType = previous_version_dangerous_delta matchedPackage = @keystrokehq/keystroke@0.1.35 matchedIdentity = npm:QGtleXN0cm9rZWhxL2tleXN0cm9rZQ:0.1.35 similarity = 0.958 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/dist-CB_SkwlE.mjsView on unpkg
33924if (error) { L33925: if (command.name === "exec" && error.message === "EXECABORT Transaction discarded because of previous errors.") continue; L33926: if (!commonError) commonError = {
High
Shell

Package source references shell execution.

dist/dist-CB_SkwlE.mjsView on unpkg · L33924
dist/chunk-TN7HHBQW-D_SK6w5n.cjsView file
17strategy: "throw", L18: reason: "eval() allows arbitrary code execution" L19: },
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/chunk-TN7HHBQW-D_SK6w5n.cjsView on unpkg · L17
dist/chunk-GSPYNYZA-uQ_XOEWe.cjsView file
1const require_dist = require("./dist-BBGCAuTi.cjs"); L2: const require_chunk_QAYAQNCG = require("./chunk-QAYAQNCG-ROQh1hrZ.cjs");
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/chunk-GSPYNYZA-uQ_XOEWe.cjsView on unpkg · L1
dist/js-exec-N5KEZBH7-D3Pn2n6L.mjsView file
40Cross-file remote execution chain: dist/js-exec-N5KEZBH7-D3Pn2n6L.mjs spawns dist/dist-DL3p2pu7.mjs; helper contains network access plus dynamic code execution. L40: Available modules: L41: fs, path, child_process, process, console, L42: os, url, assert, util, events, buffer, stream, ... L55: child_process: L56: execSync(cmd) throws on non-zero exit, returns stdout L57: spawnSync(cmd, args) returns { stdout, stderr, status } ... L61: L62: os: platform(), arch(), homedir(), tmpdir(), type(), hostname(), L63: EOL, cpus(), endianness() L64: L65: url: URL, URLSearchParams, parse(), format() L66:
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/js-exec-N5KEZBH7-D3Pn2n6L.mjsView on unpkg · L40

Findings

1 Critical3 High4 Medium8 Low
CriticalPrevious Version Dangerous Deltadist/dist-CB_SkwlE.mjs
HighChild Processdist/dist-DL3p2pu7.mjs
HighShelldist/dist-CB_SkwlE.mjs
HighCross File Remote Execution Contextdist/js-exec-N5KEZBH7-D3Pn2n6L.mjs
MediumDynamic Requiredist/chunk-GSPYNYZA-uQ_XOEWe.cjs
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowEvaldist/chunk-TN7HHBQW-D_SK6w5n.cjs
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings
LowNo License