registry  /  @octostaff/reef  /  0.4.2

@octostaff/reef@0.4.2

OctoStaff reef connector worker — bridges Bubble and hosted A2A agents.

Static Scan Results

scanned 7m ago · by rust-scanner

Static analysis flagged 12 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsMinifiedObfuscatedTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 405 KB of source, external domains: ai.azure.com, github.com, json-schema.org

Source & flagged code

4 flagged · loading source
dist/lib.jsView file
1import{parseArgs as Fo}from"util";function Uo(e){let{values:t,positionals:r}=Fo({args:e,options:{config:{type:"string",short:"c"},prompt:{type:"string"}},strict:!0,allowPositionals... L2: ${r.newText}`);return t.length>0?t.join(`
High
Child Process

Package source references child process execution.

dist/lib.jsView on unpkg · L1
1import{parseArgs as Fo}from"util";function Uo(e){let{values:t,positionals:r}=Fo({args:e,options:{config:{type:"string",short:"c"},prompt:{type:"string"}},strict:!0,allowPositionals... L2: ${r.newText}`);return t.length>0?t.join(` L3: `):void 0}function ps(e){if(typeof e=="string")return e;if(e&&typeof e=="object"){let t=e;if(typeof t.error=="string")return t.error;if(typeof t.message=="string")return t.message}... L4: ${l}`}let p=Bt(e.buffer,a[s],o[s],e.position,d);l+=`${" ".repeat(r.indent)}${jt((e.line+1).toString(),u)} | ${p.str}
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/lib.jsView on unpkg · L1
1import{parseArgs as Fo}from"util";function Uo(e){let{values:t,positionals:r}=Fo({args:e,options:{config:{type:"string",short:"c"},prompt:{type:"string"}},strict:!0,allowPositionals... L2: ${r.newText}`);return t.length>0?t.join(` L3: `):void 0}function ps(e){if(typeof e=="string")return e;if(e&&typeof e=="object"){let t=e;if(typeof t.error=="string")return t.error;if(typeof t.message=="string")return t.message}... L4: ${l}`}let p=Bt(e.buffer,a[s],o[s],e.position,d);l+=`${" ".repeat(r.indent)}${jt((e.line+1).toString(),u)} | ${p.str}
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/lib.jsView on unpkg · L1
package.jsonView file
scripts registry_only=build,dev,dev:azure,dev:mock,format,format:check,lint,lint:fix; devDependencies registry_only=@octostaff/bubble,@octostaff/devkit,@octostaff/sdk,@types/node,@types/ws,eslint,fastify,husky
Critical
Manifest Confusion

Tarball package.json differs from the npm registry version manifest for scripts or dependency sets.

package.jsonView on unpkg

Findings

1 Critical3 High3 Medium5 Low
CriticalManifest Confusionpackage.json
HighChild Processdist/lib.js
HighSame File Env Network Executiondist/lib.js
HighCommand Output Exfiltrationdist/lib.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings