registry  /  @omp-studio/omps  /  0.1.7

@omp-studio/omps@0.1.7

OMP Studio agent (omps): open, sync and version Grenton .omp projects in the hosted editor

Static Scan Results

scanned 2d ago · by rust-scanner

Static analysis flagged 10 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 15 file(s), 117 KB of source, external domains: 127.0.0.1, omp-studio.coderai.dev

Source & flagged code

2 flagged · loading source
dist/winsetup.jsView file
5* All system integration lives HERE, in Node, on purpose: an installer-shaped L6: * PowerShell script (writing .cmd shims, registry shell verbs, uninstall L7: * scripts) trips AV script heuristics — Bitdefender's Boxter family flagged L8: * exactly that. The PS script stays trivial (download, unzip, npm install) and L9: * everything AV-sensitive happens in a regular program via reg.exe/powershell ... L20: const VERB_KEY = "HKCU\\Software\\Classes\\SystemFileAssociations\\.omp\\shell\\OMPStudio"; L21: /** `omps` shim: runs this package with the private runtime two dirs up. */ L22: export function ompsShim() { ... L51: if (r.status !== 0) L52: throw new Error(`${what} failed (exit code ${String(r.status)})`); L53: } L54: function defaultRoot() {
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/winsetup.jsView on unpkg · L5
matchType = previous_version_dangerous_delta matchedPackage = @omp-studio/omps@0.1.6 matchedIdentity = npm:QG9tcC1zdHVkaW8vb21wcw:0.1.6 similarity = 0.929 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/winsetup.jsView on unpkg

Findings

2 High3 Medium5 Low
HighSandbox Evasion Gated Capabilitydist/winsetup.js
HighPrevious Version Dangerous Deltadist/winsetup.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License