registry  /  @kodax-ai/kodax  /  0.7.58

@kodax-ai/kodax@0.7.58

⚠ Under review

KodaX lightweight coding agent - TypeScript implementation with 15 built-in LLM provider aliases, published as a Node-free single-file CLI and SDK

Static Scan Results

scanned 9d ago · by rust-scanner

Static analysis flagged 16 finding(s) at 86.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetwork
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 55 file(s), 2.82 MB of source, external domains: 127.0.0.1, api.example.com, evil.com, github.com, www.bing.com
Oversized source lightweight scan
dist/kodax_cli.js2.16 MB file, sampled 256 KB
FilesystemChildProcessEnvironmentVarsDynamicRequireHighEntropyStringsMinified

Source & flagged code

9 flagged · loading source
dist/semantic-worker.jsView file
2var Yn=Object.defineProperty;var a=(O,e)=>Yn(O,"name",{value:e,configurable:!0});var Z=(O,e)=>()=>(O&&(e=O(O=0)),e);var Vn=(O,e)=>{for(var t in e)Yn(O,t,{get:e[t],enumerable:!0})};... L3: `,"utf8"),await is(n,O)}catch(i){throw await be.rm(n,{force:!0}).catch(()=>{}),i}await rs(t,wt.basename(O)).catch(()=>{})}async function rs(O,e){let t=`${e}.`,n=Date.now(),i=await ... L4: `)}let o=0,l=!1,Q=r;for(let c=r;c<O.length;c+=1){let d=O[c]??"";if(o+=oe(d),d.includes("{")&&(l=!0),Q=c,l&&o<=0&&c>r||!l&&c+1>=s)break}let h=l?Q+1:s;return O.slice(r,h).join(`
High
Child Process

Package source references child process execution.

dist/semantic-worker.jsView on unpkg · L2
dist/chunks/chunk-7QB55SYG.jsView file
223${o}`}i(Cw,"tailToBytes");function Ye(e){return e.replace(/&/g,"&amp;").replace(/</g,"&lt;").replace(/>/g,"&gt;")}i(Ye,"escapeXmlContent");function Dd(){let e="[Tool Error] /goal f... L224: `)}i(qd,"toolGetGoal");async function Bd(e,t){let n=ji(t),r=typeof e.objective=="string"?e.objective.trim():"";if(!r)return"[Tool Error] create_goal: missing required parameter `ob... L225: Artifact: ${e.artifactRef}
High
Eval

Package source references dynamic code evaluation.

dist/chunks/chunk-7QB55SYG.jsView on unpkg · L223
298`)}catch(n){return`[Tool Error] activate_agent: ${n.message}`}}i(Au,"toolActivateAgent");var jr=Object.freeze({web_search:'Discover web content when no specific URL is known \u2014... L299: `)}i(rk,"buildResult");var ok=i(async(e,t)=>{let n=e,r=typeof n.query=="string"?n.query:"";if(r.length===0)return"tool_search: `query` is required. Forms: `select:NAME[,NAME...]` f... L300:
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/chunks/chunk-7QB55SYG.jsView on unpkg · L298
173`)}i(Jl,"[redacted]");function Yl(e,t){return["Your previous response did not produce a valid result object for the workflow.","Problems:",...e.map(n=>`- ${n}... L174: `)}i(Yl,"[redacted]");var Ai,Tr;async function rd(){if(Ai)return Ai;if(!Tr){let e="./agent.js";Tr=import("./agent-YJNC2755.js").then(t=>{let n=t.runKodaX;if(... L175: `),_y=["Create a short user-facing digest of your previous report for the parent workflow.","Return only 2-4 bullet lines.","Each bullet must be concrete: a finding, decision, risk...
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/chunks/chunk-7QB55SYG.jsView on unpkg · L173
dist/chunks/chunk-NKHXRN7G.jsView file
210`;)d+=1;continue}if(l==="/"&&f==="*"){for(d+=2;d<e.length&&!(e[d]==="*"&&e[d+1]==="/");)d+=1;d+=2;continue}break}if(e[d]==="]"||e[d]==="}"){r+=1;continue}}t+=c,r+=1}return t}o(Wf,"... L211: \u2026[truncated]\u2026`;function qf(e,t={}){let r=t.maxToolResultBytes??2048,n=t.maxTranscriptBytes??8192,i=[];for(let s of e){let c=Kf(s,r);c!==null&&i.push(c)}return zf(i,n)}o(q... L212: # Claude Code Code Bash command prefix detection
Critical
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution with blocking evidence.

dist/chunks/chunk-NKHXRN7G.jsView on unpkg · L210
Trigger-reachable chain: manifest.main -> dist/index.js -> dist/chunks/chunk-NKHXRN7G.js Reachable file contains a blocking source-risk pattern.
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/chunks/chunk-NKHXRN7G.jsView on unpkg
dist/chunks/chunk-OBPB5BQ6.jsView file
1Cross-file remote execution chain: dist/chunks/chunk-OBPB5BQ6.js spawns dist/chunks/chunk-7QB55SYG.js; helper contains network access plus dynamic code execution. L1: // @kodax-ai/kodax — bundled distribution. See docs/ADR.md ADR-022 + ADR-024. L2: import{$ as cc,A as RS,B as ps,Ba as rm,C as Eu,Ca as Du,D as ES,Da as XS,E as ic,Ea as qS,F as Xp,G as AS,H as qp,I as ni,J as Jp,K as sc,L as Qp,M as Zp,N as _S,O as LS,P as ms,Q... L3: `).length,i={width:n,height:r};return lw.set(e,i),i},"measureText"),pm=vE;import kE from"wrap-ansi";import RE from"cli-truncate";var uw={},EE=o((e,t,n)=>{let r=e+String(t)+String(n... ... L12: `).repeat(N);g&&(O=qu.dim(O));let G=(tr(a.right,f,"foreground")+` L13: `).repeat(N);S&&(G=qu.dim(G));let Y=b?tr((T?a.bottomLeft:"")+a.bottom.repeat(A)+(v?a.bottomRight:""),l,"foreground"):void 0;b&&m&&(Y=qu.dim(Y));let re=w?1:0;D&&r.write(e,t,D,{trans... L14: `.repeat(i)+oM(t,r)}return t},"applyPaddingToText"),Qu=o((e,t={})=>{if(t.sk[redacted]&&e.internal_static||e.yogaNode?.getDisplay()===xo.DISPLAY_NONE)return"";let n="";if(e.no... ... L20: `:"",frame:void 0}}let r=new Es({width:e.yogaNode.getComputedWidth(),height:e.yogaNode.getComputedHeight()});Ew(),Tm(e,r,{…
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/chunks/chunk-OBPB5BQ6.jsView on unpkg · L1
dist/kodax_cli.jsView file
path = dist/kodax_cli.js kind = oversized_source_file sizeBytes = 2265379 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/kodax_cli.jsView on unpkg
path = dist/kodax_cli.js kind = oversized_cli_entrypoint sizeBytes = 2265379 magicHex = [redacted]
Medium
Oversized Cli Entrypoint

Package contains an oversized executable-looking CLI entrypoint.

dist/kodax_cli.jsView on unpkg

Findings

2 Critical5 High5 Medium4 Low
CriticalSame File Env Network Executiondist/chunks/chunk-NKHXRN7G.js
CriticalTrigger Reachable Dangerous Capabilitydist/chunks/chunk-NKHXRN7G.js
HighChild Processdist/semantic-worker.js
HighEvaldist/chunks/chunk-7QB55SYG.js
HighCommand Output Exfiltrationdist/chunks/chunk-7QB55SYG.js
HighCross File Remote Execution Contextdist/chunks/chunk-OBPB5BQ6.js
HighOversized Source Filedist/kodax_cli.js
MediumDynamic Requiredist/chunks/chunk-7QB55SYG.js
MediumNetwork
MediumEnvironment Vars
MediumOversized Cli Entrypointdist/kodax_cli.js
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings