registry  /  @link-assistant/agent  /  0.24.1

@link-assistant/agent@0.24.1

A minimal, public domain AI CLI agent compatible with OpenCode's JSON interface. Bun-only runtime.

Static Scan Results

scanned 1d ago · by rust-scanner

Static analysis flagged 10 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 119 file(s), 933 KB of source, external domains: accounts.google.com, aistudio.google.com, api.anthropic.com, api.githubcopilot.com, api.kilo.ai, api.together.xyz, auth.openai.com, chat.qwen.ai, chatgpt.com, claude.ai, cloudcode-pa.googleapis.com, codeassist.google.com, company.ghe.com, console.anthropic.com, console.groq.com, console.mistral.ai, console.x.ai, dashboard.cohere.com, example.com, github.com, mcp.exa.ai, models.dev, oauth2.googleapis.com, opencode.ai, openrouter.ai, platform.deepseek.com, platform.openai.com, portal.qwen.ai, vercel.link, www.googleapis.com, www.perplexity.ai

Source & flagged code

2 flagged · loading source
src/util/token.tsView file
52// eslint-disable-next-line @typescript-eslint/no-var-requires L53: const mod = require('gpt-tokenizer/encoding/o200k_base'); L54: _encoder = mod;
Medium
Dynamic Require

Package source references dynamic require/import behavior.

src/util/token.tsView on unpkg · L52
src/auth/plugins.tsView file
1import crypto from 'crypto'; L2: import * as http from 'node:http'; L3: import * as net from 'node:net'; ... L87: function generateRandomString(length: number): string { L88: return crypto.randomBytes(length).toString('base64url'); L89: } ... L153: }, L154: body: JSON.stringify({ L155: code: splits[0], ... L885: const portStr = L886: process.env['OAUTH_CALLBACK_PORT'] || L887: process.env['GOOGLE_OAUTH_CALLBACK_PORT'];
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

src/auth/plugins.tsView on unpkg · L1

Findings

1 High4 Medium5 Low
HighSandbox Evasion Gated Capabilitysrc/auth/plugins.ts
MediumDynamic Requiresrc/util/token.ts
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings