registry  /  @link-assistant/hive-mind  /  2.1.0

@link-assistant/hive-mind@2.1.0

AI-powered issue solver and hive mind for collaborative problem solving

Static Scan Results

scanned 3d ago · by rust-scanner

Static analysis flagged 13 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 213 file(s), 3.28 MB of source, external domains: api.anthropic.com, api.openai.com, bun.sh, chatgpt.com, docs.github.com, gist.githubusercontent.com, github.com, models.dev, mycompany.youtrack.cloud, opencode.ai, platform.claude.com, status.anthropic.com, t.me, unpkg.com, www.githubstatus.com

Source & flagged code

5 flagged · loading source
src/hive.mjsView file
762// Use spawn to get real-time streaming output while avoiding command-stream's automatic quote addition L763: const { spawn } = await import('child_process'); L764: // Auto-forward all solve-passthrough options from hive argv to solve.
High
Child Process

Package source references child process execution.

src/hive.mjsView on unpkg · L762
src/git.lib.mjsView file
5L6: const execAsync = promisify(exec); L7:
High
Shell

Package source references shell execution.

src/git.lib.mjsView on unpkg · L5
src/use-m-bootstrap.lib.mjsView file
44try { L45: globalThis.use = (await eval(await fetchUseMCode())).use; L46: } catch (error) {
Low
Eval

Package source references a known benign dynamic code generation pattern.

src/use-m-bootstrap.lib.mjsView on unpkg · L44
src/solve.mjsView file
5const earlyArgs = process.argv.slice(2); L6: const { handleSolveEarlyExit } = await import('./solve.bootstrap.lib.mjs'); L7: await handleSolveEarlyExit(earlyArgs);
Medium
Dynamic Require

Package source references dynamic require/import behavior.

src/solve.mjsView on unpkg · L5
src/solve.auto-continue.lib.mjsView file
38Cross-file remote execution chain: src/solve.auto-continue.lib.mjs spawns src/use-m-bootstrap.lib.mjs; helper contains network access plus dynamic code execution. L38: // Import usage limit formatting functions L39: // See: https://github.com/link-assistant/hive-mind/issues/1152 L40: const usageLimitLib = await import('./usage-limit.lib.mjs'); ... L148: // See: https://github.com/link-assistant/hive-mind/issues/1152 L149: const childProcess = await import('child_process'); L150: ... L217: stdio: 'inherit', L218: cwd: process.cwd(), L219: env: process.env, L220: }); ... L284: try { L285: parsed = JSON.parse(result.stdout.toString().trim() || '[]');
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

src/solve.auto-continue.lib.mjsView on unpkg · L38

Findings

3 High4 Medium6 Low
HighChild Processsrc/hive.mjs
HighShellsrc/git.lib.mjs
HighCross File Remote Execution Contextsrc/solve.auto-continue.lib.mjs
MediumDynamic Requiresrc/solve.mjs
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvalsrc/use-m-bootstrap.lib.mjs
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings