registry  /  @mmnto/totem  /  1.95.0

@mmnto/totem@1.95.0

Persistent memory and context layer for AI agents

Static Scan Results

scanned 1d ago · by rust-scanner

Static analysis flagged 14 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNativeBindingsNetworkShell
Supply chain
HighEntropyStringsObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 262 file(s), 2.99 MB of source, external domains: agents.md, claude.ai, example.com, github.com, img.shields.io, ollama.com, opensource.org, other.com, pkg.go.dev, raw.githubusercontent.com, www.gstatic.com

Source & flagged code

6 flagged · loading source
dist/sanitize.test.jsView file
181patternName = aws_access_key severity = critical line = 181 matchedText = expect(m...]');
Critical
Critical Secret

Package contains a critical-looking secret pattern.

dist/sanitize.test.jsView on unpkg · L181
181patternName = aws_access_key severity = critical line = 181 matchedText = expect(m...]');
Critical
Secret Pattern

AWS access key ID in dist/sanitize.test.js

dist/sanitize.test.jsView on unpkg · L181
187patternName = google_api_key severity = high line = 187 matchedText = expect(m...]');
High
Secret Pattern

Google API key in dist/sanitize.test.js

dist/sanitize.test.jsView on unpkg · L187
191patternName = generic_password severity = medium line = 191 matchedText = expect(m...'");
Medium
Secret Pattern

Hardcoded password in dist/sanitize.test.js

dist/sanitize.test.jsView on unpkg · L191
dist/retired-lessons.test.jsView file
26const entries = [ L27: { heading: 'Avoid eval()', reason: 'Too broad', retiredAt: '2026-04-01T00:00:00.000Z' }, L28: {
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/retired-lessons.test.jsView on unpkg · L26
dist/ast-grep-wasm-shim.test.jsView file
18try { L19: const mod = await import(shimPath); L20: Lang = mod.Lang;
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/ast-grep-wasm-shim.test.jsView on unpkg · L18

Findings

2 Critical1 High5 Medium6 Low
CriticalCritical Secretdist/sanitize.test.js
CriticalSecret Patterndist/sanitize.test.js
HighSecret Patterndist/sanitize.test.js
MediumDynamic Requiredist/ast-grep-wasm-shim.test.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
MediumSecret Patterndist/sanitize.test.js
LowScripts Present
LowEvaldist/retired-lessons.test.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings