registry  /  @newtype-os/plugin  /  0.0.32

@newtype-os/plugin@0.0.32

AI Agent Collaboration System for Creator Life OS - OpenCode plugin

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 14 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsEvalFilesystemNativeBindingsNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
WildcardDependency
scanned 3 file(s), 2.94 MB of source, external domains: accounts.google.com, bun.sh, clangd.llvm.org, cli.github.com, clojure-lsp.io, cloudcode-pa.googleapis.com, daily-cloudcode-pa.googleapis.com, daily-cloudcode-pa.sandbox.googleapis.com, deno.land, github.com, gleam.run, json-schema.org, mcp.exa.ai, oauth2.googleapis.com, opencode.ai, raw.githubusercontent.com, registry.npmjs.org, www.googleapis.com

Source & flagged code

5 flagged · loading source
dist/google-auth.jsView file
2939import { fileURLToPath } from "url"; L2940: import childProcess3 from "child_process"; L2941: import fs6, { constants as fsConstants2 } from "fs/promises";
High
Child Process

Package source references child process execution.

dist/google-auth.jsView on unpkg · L2939
3016L3017: // node_modules/powershell-utils/index.js L3018: import process3 from "process";
High
Shell

Package source references shell execution.

dist/google-auth.jsView on unpkg · L3016
dist/index.jsView file
207Cross-file remote execution chain: dist/index.js spawns dist/cli/index.js; helper contains network access plus dynamic code execution. L207: } L208: if (typeof process !== "undefined" && process.platform) { L209: return process.platform === "win32"; ... L306: const eos = () => index >= length; L307: const peek = () => str2.charCodeAt(index + 1); L308: const advance = () => { ... L1557: var env = p.env || {}; L1558: var isColorSupported = !(!!env.NO_COLOR || argv.includes("--no-color")) && (!!env.FORCE_COLOR || argv.includes("--color") || p.platform === "win32" || (p.stdout || {}).isTTY && env... L1559: var formatter = (open, close, replace = open) => (input) => { ... L2801: var names = { L2802: data: new codegen_1.Name("data"), L2803: valCxt: new codegen_1.Name("valCxt"),
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/index.jsView on unpkg · L207
4467sourceCode = this.opts.code.process(sourceCode, sch); L4468: const makeValidate = new Function(`${names_1.default.self}`, `${names_1.default.scope}`, sourceCode); L4469: const validate = makeValidate(this, this.scope.get());
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/index.jsView on unpkg · L4467
dist/cli/ast-grep-napi.linux-x64-gnu-jfv8414z.nodeView file
path = dist/cli/ast-grep-napi.linux-x64-gnu-jfv8414z.node kind = native_binary sizeBytes = 7739648 magicHex = [redacted]
Medium
Ships Native Binary

Package ships native binary artifacts.

dist/cli/ast-grep-napi.linux-x64-gnu-jfv8414z.nodeView on unpkg

Findings

3 High5 Medium6 Low
HighChild Processdist/google-auth.js
HighShelldist/google-auth.js
HighCross File Remote Execution Contextdist/index.js
MediumNetwork
MediumEnvironment Vars
MediumShips Native Binarydist/cli/ast-grep-napi.linux-x64-gnu-jfv8414z.node
MediumStructural Risk Force Deep Review
MediumWildcard Dependency
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvaldist/index.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings