registry  /  @kraki/tentacle  /  0.25.0

@kraki/tentacle@0.25.0

Kraki agent bridge — the arm that connects your coding agent to the head

Static Scan Results

scanned 8d ago · by rust-scanner

Static analysis flagged 14 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 32 file(s), 487 KB of source, external domains: 127.0.0.1, api.github.com, app.kraki.chat, docs.anthropic.com, github.com, relay.kraki.chat, www.apple.com

Source & flagged code

6 flagged · loading source
dist/checks.jsView file
6*/ L7: import { execSync } from 'node:child_process'; L8: import { constants as fsConstants, promises as fsp, appendFileSync, mkdirSync, readFileSync, writeFileSync } from 'node:fs';
High
Child Process

Package source references child process execution.

dist/checks.jsView on unpkg · L6
20* where even `%SystemRoot%\System32` is absent. Tools that spawn L21: * `powershell.exe` / `pwsh.exe` / `where` / `cmd` by short name then L22: * fail with ENOENT — notably the GitHub Copilot SDK, whose PowerShell
High
Shell

Package source references shell execution.

dist/checks.jsView on unpkg · L20
dist/daemon.jsView file
7* On macOS, downloaded SEA binaries carry com.apple.provenance which L8: * cannot be removed. macOS 26+ CSM 2 blocks direct fork()+execve() of L9: * such binaries from child processes. To bypass this, macOS SEA builds L10: * use launchctl to have launchd spawn the daemon in a completely L11: * independent context. If launchctl also fails, the caller falls back ... L36: const home = getKrakiHome(); L37: const defaultHome = join(homedir(), '.kraki'); L38: if (resolve(home) === resolve(defaultHome)) ... L67: if (seaMode) { L68: const { COPILOT_SDK_AUTH_TOKEN: _, COPILOT_AGENT_SESSION_ID: _2, COPILOT_CLI: _3, GITHUB_TOKEN: seaInheritedGhToken, ...seaCleanEnv } = process.env; L69: if (seaInheritedGhToken && !seaInheritedGhToken.startsWith('gho_')) { ... L276: // context that isn't blocked by CSM provenance tracking.
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/daemon.jsView on unpkg · L7
dist/update.jsView file
9*/ L10: import { execSync } from 'node:child_process'; L11: import { existsSync, readFileSync, writeFileSync, mkdirSync, createWriteStream, unlinkSync, chmodSync, renameSync, copyFileSync, realpathSync, rmSync, symlinkSync } from 'node:fs'; ... L13: import { tmpdir, platform } from 'node:os'; L14: import { request as httpRequest } from 'node:http'; L15: import { request as httpsRequest } from 'node:https'; ... L44: } L45: export function shouldBypassProxy(hostname, noProxyRaw = process.env.NO_PROXY ?? process.env.no_proxy ?? '') { L46: if (!noProxyRaw) ... L85: const pass = decodeURIComponent(proxyUrl.password); L86: return `Basic ${Buffer.from(`${user}:${pass}`).toString('base64')}`; L87: }
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/update.jsView on unpkg · L9
4* Supports two install methods: L5: * - npm global: runs `npm i -g @kraki/tentacle@latest` L6: * - SEA binary: downloads latest release binary from GitHub ... L9: */ L10: import { execSync } from 'node:child_process'; L11: import { existsSync, readFileSync, writeFileSync, mkdirSync, createWriteStream, unlinkSync, chmodSync, renameSync, copyFileSync, realpathSync, rmSync, symlinkSync } from 'node:fs';
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/update.jsView on unpkg · L4
dist/adapters/copilot.jsView file
266package = @kraki/tentacle; repositoryIdentity = kraki; dependency = @github/copilot-sdk L266: try { L267: return await import('@github/copilot-sdk'); L268: }
High
Copied Package Dependency Bridge

Package metadata claims a different repository identity while copied source loads a runtime dependency bridge.

dist/adapters/copilot.jsView on unpkg · L266

Findings

5 High4 Medium5 Low
HighChild Processdist/checks.js
HighShelldist/checks.js
HighSandbox Evasion Gated Capabilitydist/update.js
HighCopied Package Dependency Bridgedist/adapters/copilot.js
HighRuntime Package Installdist/update.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/daemon.js
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License