registry  /  @luckydraw/cumulus  /  0.31.32

@luckydraw/cumulus@0.31.32

⚠ Under review

RLM-based CLI chat wrapper for Claude with external history context management

Static Scan Results

scanned 4h ago · by rust-scanner

Static analysis flagged 15 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 78 file(s), 1.71 MB of source, external domains: 127.0.0.1, api.search.brave.com, app.texitool.com, plastic.luckydraw.dev, registry.npmjs.org, router.huggingface.co, www.apple.com, www.w3.org

Source & flagged code

6 flagged · loading source
dist/tui/hooks/useClaudeProcess.jsView file
3*/ L4: import { spawn } from 'child_process'; L5: import { useCallback, useRef } from 'react';
High
Child Process

Package source references child process execution.

dist/tui/hooks/useClaudeProcess.jsView on unpkg · L3
dist/lib/gateway.jsView file
1602// Windows: spawn() can't directly exec .cmd/.bat shims (CVE-2024-27980). L1603: // Routing through cmd.exe is required for the npm-installed `claude.cmd`. L1604: const isWindowsShim = process.platform === 'win32' && /\.(cmd|bat|ps1)$/i.test(resolvedClaudePath);
High
Shell

Package source references shell execution.

dist/lib/gateway.jsView on unpkg · L1602
dist/gateway/server.jsView file
16*/ L17: import { execFileSync } from 'child_process'; L18: import * as crypto from 'crypto'; L19: import * as fs from 'fs'; L20: import * as http from 'http'; L21: import * as os from 'os'; ... L125: try { L126: res.write(`event: ${event}\ndata: ${JSON.stringify(data)}\n\n`); L127: } ... L283: const raw = await readBody(req); L284: body = JSON.parse(raw); L285: }
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/gateway/server.jsView on unpkg · L16
dist/gateway/setup.jsView file
7*/ L8: import { execSync } from 'child_process'; L9: import { randomBytes } from 'crypto'; ... L12: import * as path from 'path'; L13: const CUMULUS_DIR = process.env.CUMULUS_DIR || path.join(os.homedir(), '.cumulus'); L14: const CONFIG_PATH = path.join(CUMULUS_DIR, 'gateway.config.json'); ... L17: '.git', L18: 'package.json', L19: 'Cargo.toml', ... L70: const readline = await import('readline'); L71: const rl = readline.createInterface({ input: process.stdin, output: process.stdout }); L72: const prompt = defaultValue ? `${question} [${defaultValue}]: ` : `${question}: `;
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/gateway/setup.jsView on unpkg · L7
dist/lib/version-check.jsView file
179// ─── Perform update ────────────────────────────────────────── L180: /** Check if sudo is needed for global npm install */ L181: export async function needsSudo() { L182: const { execSync } = await import('child_process'); L183: try {
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/lib/version-check.jsView on unpkg · L179
dist/gateway/daemon.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @luckydraw/cumulus@0.31.31 matchedIdentity = npm:QGx1Y2t5ZHJhdy9jdW11bHVz:0.31.31 similarity = 0.974 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/gateway/daemon.jsView on unpkg

Findings

1 Critical3 High4 Medium7 Low
CriticalPrevious Version Dangerous Deltadist/gateway/daemon.js
HighChild Processdist/tui/hooks/useClaudeProcess.js
HighShelldist/lib/gateway.js
HighRuntime Package Installdist/lib/version-check.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/gateway/setup.js
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowWeak Cryptodist/gateway/server.js
LowFilesystem
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings