registry  /  @moxxy/core  /  0.27.0

@moxxy/core@0.27.0

The moxxy runtime as a programmatic library: the agentic Session + runTurn loop, the event log, the plugin host, every block registry (providers, tools, modes, compactors, cache strategies, channels, …), session persistence, and the permission engine. Pai

Static Scan Results

scanned 2d ago · by rust-scanner

Static analysis flagged 8 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsFilesystem
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 175 file(s), 952 KB of source, external domains: 127.0.0.1, example.com, ok.com, ok.test, x.test

Source & flagged code

2 flagged · loading source
dist/registries/services.jsView file
14} L15: require(name) { L16: if (!this.services.has(name)) {
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/registries/services.jsView on unpkg · L14
dist/plugins/loader.jsView file
13package = @moxxy/core; repositoryIdentity = moxxy; dependency = jiti L13: try { L14: const mod = await import('jiti'); L15: const factory = mod.createJiti ?? mod.default;
High
Copied Package Dependency Bridge

Package metadata claims a different repository identity while copied source loads a runtime dependency bridge.

dist/plugins/loader.jsView on unpkg · L13

Findings

1 High3 Medium4 Low
HighCopied Package Dependency Bridgedist/plugins/loader.js
MediumDynamic Requiredist/registries/services.js
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings