registry  /  @lensmcp/node-instrumentation  /  1.16.0

@lensmcp/node-instrumentation@1.16.0

Zero-touch Node.js runtime instrumentation for LensMCP — fs/network/exec/db/redis/queue taps + NestJS auto-graft, injected by the runner, never imported by host source.

Static Scan Results

scanned 3h ago · by rust-scanner

Static analysis flagged 4 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystem
Supply chainNo supply-chain packaging signals triggered.
ManifestNo manifest risk signals triggered.
scanned 14 file(s), 57.7 KB of source

Source & flagged code

1 flagged · loading source
lib/flow-context.jsView file
9package = @lensmcp/node-instrumentation; repositoryIdentity = lensmcp; dependency = @lensmcp/nest-instrumentation L9: function primeFlowContext() { L10: import('@lensmcp/nest-instrumentation') L11: .then((m) => {
High
Copied Package Dependency Bridge

Package metadata claims a different repository identity while copied source loads a runtime dependency bridge.

lib/flow-context.jsView on unpkg · L9

Findings

1 High2 Medium1 Low
HighCopied Package Dependency Bridgelib/flow-context.js
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowFilesystem