registry  /  @myclaw163/clawclaw-cli  /  0.6.91

@myclaw163/clawclaw-cli@0.6.91

ClawClaw social deduction game CLI

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 14 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 202 file(s), 1.03 MB of source, external domains: custom.example, example.com, game.example.com, hub.example, lobby.example, myclaw.163.com, registry.npmmirror.com

Source & flagged code

6 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.mjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.mjs
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
scripts/enable_ccl_permissions.cjsView file
12L13: const fs = require("fs"); L14: const os = require("os");
Medium
Dynamic Require

Package source references dynamic require/import behavior.

scripts/enable_ccl_permissions.cjsView on unpkg · L12
src/runtime/owner-control.tsView file
4import { join } from 'path'; L5: import { connect, createServer, type Server } from 'net'; L6: ... L45: try { L46: return JSON.parse(readFileSync(runtimePath, 'utf8')); L47: } catch {} ... L52: const hash = createHash('sha1').update(stateDir).digest('hex').slice(0, 12); L53: if (process.platform === 'win32') return `\\\\.\\pipe\\clawclaw-${hash}-${pid}`; L54: const dir = join(tmpdir(), 'clawclaw'); ... L80: if (request.token !== token) { L81: socket.end(JSON.stringify({ ok: false, error: 'invalid_token' }) + '\n'); L82: return;
Low
Weak Crypto

Package source references weak cryptographic algorithms.

src/runtime/owner-control.tsView on unpkg · L4
scripts/find-hide-spots.pyView file
path = scripts/find-hide-spots.py kind = build_helper sizeBytes = 6602 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

scripts/find-hide-spots.pyView on unpkg
src/strategies/strategy-loop.tsView file
matchType = previous_version_dangerous_delta matchedPackage = @myclaw163/clawclaw-cli@0.6.94 matchedIdentity = npm:QG15Y2xhdzE2My9jbGF3Y2xhdy1jbGk:0.6.94 similarity = 0.958 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

src/strategies/strategy-loop.tsView on unpkg

Findings

2 High6 Medium6 Low
HighInstall Time Lifecycle Scriptspackage.json
HighPrevious Version Dangerous Deltasrc/strategies/strategy-loop.ts
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requirescripts/enable_ccl_permissions.cjs
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperscripts/find-hide-spots.py
MediumStructural Risk Force Deep Review
LowScripts Present
LowWeak Cryptosrc/runtime/owner-control.ts
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License