registry  /  @kody-ade/kody-chat  /  0.1.3

@kody-ade/kody-chat@0.1.3

⚠ Under review

Kody Chat — multi-tenant branded client chat product and embeddable chat platform

Static Scan Results

scanned 4h ago · by rust-scanner

Static analysis flagged 9 finding(s) at 86.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 626 file(s), 3.84 MB of source, external domains: 127.0.0.1, api.anthropic.com, api.deepseek.com, api.example.com, api.fly.io, api.github.com, api.githubcopilot.com, api.groq.com, api.machines.dev, api.minimax.io, api.mistral.ai, api.openai.com, api.telegram.org, api.x.ai, cdn.jsdelivr.net, discord.com, fly.io, generativelanguage.googleapis.com, github.com, hooks.slack.com, keepachangelog.com, kody.local, openrouter.ai, r.jina.ai, raw.githubusercontent.com, semver.org, terminal-bridge.internal, www.githubstatus.com, www.w3.org

Source & flagged code

3 flagged · loading source
src/dashboard/lib/github-client.tsView file
133const { revalidateTag } = L134: require("next/cache") as typeof import("next/cache"); L135: /* eslint-enable @typescript-eslint/no-require-imports */
Medium
Dynamic Require

Package source references dynamic require/import behavior.

src/dashboard/lib/github-client.tsView on unpkg · L133
src/dashboard/lib/terminal/local-chat-session.tsView file
8L9: import { spawnSync } from "node:child_process"; L10: import { createHash } from "node:crypto"; ... L18: type: "output"; L19: data: string; L20: at: string; ... L68: onExit( L69: callback: (event: { exitCode: number; signal?: number }) => void, L70: ): void; ... L101: const NODE_PTY_PACKAGE = "node" + "-pty"; L102: const NODE_PTY_PACKAGE_JSON = `${NODE_PTY_PACKAGE}/package.json`; L103: const LOCAL_TERMINAL_UNAVAILABLE_MESSAGE =
Low
Weak Crypto

Package source references weak cryptographic algorithms.

src/dashboard/lib/terminal/local-chat-session.tsView on unpkg · L8
src/dashboard/lib/notifications/channels/discord.tsView file
13) { L14: return "Must be a Discord webhook URL (https://discord.com/api/webhooks/...)"; L15: } ... L26: headers: { "Content-Type": "application/json" }, L27: body: JSON.stringify({ content }), L28: }); L29: if (!res.ok) { L30: const detail = await res.text().catch(() => ""); L31: throw new Error(`Discord ${res.status}: ${detail.slice(0, 200)}`);
Critical
Credential Exfiltration

Source appears to send environment or credential material to an external endpoint.

src/dashboard/lib/notifications/channels/discord.tsView on unpkg · L13

Findings

1 Critical3 Medium5 Low
CriticalCredential Exfiltrationsrc/dashboard/lib/notifications/channels/discord.ts
MediumDynamic Requiresrc/dashboard/lib/github-client.ts
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowWeak Cryptosrc/dashboard/lib/terminal/local-chat-session.ts
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings