registry  /  @openchamber/web  /  1.14.1

@openchamber/web@1.14.1

[![GitHub stars](https://img.shields.io/github/stars/btriapitsyn/openchamber?style=flat&logo=data%3Aimage%2Fsvg%2Bxml%3Bbase64%2CPHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHdpZHRoPSIzMiIgaGVpZ2h0PSIzMiIgZmlsbD0iI2YxZWNlYyIgdmlld0JveD0iMCAwIDI1Ni

Static Scan Results

scanned 3h ago · by rust-scanner

Static analysis flagged 20 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNativeBindingsNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
Manifest
NoLicense
scanned 594 file(s), 17.2 MB of source, external domains: 10.0.0.5, 100.64.0.1, 127.0.0.1, 169.254.169.254, 172.16.9.9, 192.168.1.1, 192.168.1.74, api.anthropic.com, api.github.com, api.githubcopilot.com, api.kimi.com, api.minimax.io, api.minimaxi.com, api.ngrok.com, api.openai.com, api.openchamber.dev, api.push.apple.com, api.sandbox.push.apple.com, api.trycloudflare.com, api.z.ai, api2.cursor.sh, auth.openai.com, autopush-cloudcode-pa.sandbox.googleapis.com, calendly.com, cdn.example.com, cdn.jsdelivr.net, chatgpt.com, clawdhub.com, cloudcode-pa.googleapis.com, cloudflare.example, daily-cloudcode-pa.sandbox.googleapis.com, demo.ngrok-free.app, developers.cloudflare.com, different.example, discord.gg, docs.openchamber.dev, evil.example, evil.example.com, example.com, forms.gle, generativelanguage.googleapis.com, github.com, mcp.example.com, models.dev, my-server.com, my-tts-server.example.com, nano-gpt.com, ngrok.com, oauth2.googleapis.com, ollama.com
Oversized source lightweight scan
dist/assets/useAppFontEffects-BUUJYbAZ.js2.86 MB file, sampled 256 KB
FilesystemHighEntropyStringsMinifiedUrlStringscdn.jsdelivr.netmodels.dev
dist/assets/vendor-.bun-C6iL44L9.js16.4 MB file, sampled 256 KB
FilesystemNetworkChildProcessObfuscatedHighEntropyStringsMinified

Source & flagged code

11 flagged · loading source
bin/cli.test.jsView file
6import net from 'net'; L7: import { spawn } from 'child_process'; L8: import { pathToFileURL } from 'url';
High
Child Process

Package source references child process execution.

bin/cli.test.jsView on unpkg · L6
bin/lib/cli-startup.jsView file
52L53: function powershellQuote(value) { L54: return `'${String(value).replace(/'/g, "''")}'`;
High
Shell

Package source references shell execution.

bin/lib/cli-startup.jsView on unpkg · L52
3import path from 'path'; L4: import { spawnSync } from 'child_process'; L5: import { DEFAULT_PORT } from './cli-args.js'; ... L13: function getStartupServicePaths() { L14: if (process.platform === 'darwin') { L15: return { L16: platform: 'macos', L17: servicePath: path.join(os.homedir(), 'Library', 'LaunchAgents', `${STARTUP_SERVICE_ID}.plist`), L18: }; ... L78: const env = options.envSnapshot === false ? {} : Object.fromEntries( L79: Object.entries(process.env) L80: .filter(([key, value]) => shouldPersistStartupEnv(key, value))
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

bin/lib/cli-startup.jsView on unpkg · L3
bin/lib/commands-serve.jsView file
189L190: const { startWebUiServer } = await import(pathToFileURL(serverPath).href); L191: const controller = await startWebUiServer({
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/lib/commands-serve.jsView on unpkg · L189
server/lib/opencode/settings-runtime.jsView file
68const raw = await fsPromises.readFile(filePath, 'utf8'); L69: const parsed = JSON.parse(raw); L70: return parsed && typeof parsed === 'object' ? parsed : null; ... L443: const isTransientWindowsReplaceError = (error) => { L444: if (process.platform !== 'win32' || !error || typeof error !== 'object') { L445: return false;
Low
Weak Crypto

Package source references weak cryptographic algorithms.

server/lib/opencode/settings-runtime.jsView on unpkg · L68
server/index.jsView file
4Manifest entrypoint (manifest.main) carries capability families absent from dist/build output: environment+network, execution+network L4: import path from 'path'; L5: import { spawn, spawnSync } from 'child_process'; L6: import fs from 'fs'; L7: import http from 'http'; L8: import net from 'net'; ... L95: const __filename = fileURLToPath(import.meta.url); L96: const __dirname = path.dirname(__filename); L97: ... L146: function shouldSkipCompression(req, res) { L147: if (process.env.OPENCHAMBER_RUNTIME === 'desktop') { L148: return true; ... L173: try {
High
Entrypoint Build Divergence

Manifest entrypoint contains risky behavior absent from dist/build output.

server/index.jsView on unpkg · L4
matchType = previous_version_dangerous_delta matchedPackage = @openchamber/web@1.13.8 matchedIdentity = npm:QG9wZW5jaGFtYmVyL3dlYg:1.13.8 similarity = 0.808 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

server/index.jsView on unpkg
server/lib/opencode/lifecycle.jsView file
1import { spawn, spawnSync } from 'node:child_process'; L2: import net from 'node:net'; L3: import { registerManagedProcess, unregisterManagedProcess, reapOrphanedProcesses } from './managed-process-registry.js'; ... L9: L10: const HEALTH_CHECK_TIMEOUT_MS = parsePositiveInt(process.env.OPENCHAMBER_OPENCODE_HEALTH_TIMEOUT_MS, 5000); L11: const HEALTH_CHECK_MAX_CONSECUTIVE_FAILURES = parsePositiveInt(
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

server/lib/opencode/lifecycle.jsView on unpkg · L1
server/lib/cloudflare-tunnel.jsView file
1import { spawn, spawnSync } from 'child_process'; L2: import fs from 'fs'; ... L12: const __filename = fileURLToPath(import.meta.url); L13: const __dirname = path.dirname(__filename); L14: ... L34: if (result.status === 0) { L35: return { available: true, path: target.command, version: result.stdout.trim() }; L36: } ... L44: function [redacted]() { L45: const platform = process.platform; L46: let installCmd = ''; ... L52: } else {
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

server/lib/cloudflare-tunnel.jsView on unpkg · L1
server/lib/preview/proxy-runtime.test.js#virtual:normalized:round1View file
17proxyBasePath: '/api/preview/proxy/abc123', L18: targetOrigin: 'http://127.0.0.1:3000', L19: }); ... L314: L315: it('refuses private, loopback and link-local literals on the external path', () => { L316: for (const url of [ ... L320: 'http://192.168.1.1/', L321: 'http://169.254.169.254/latest/meta-data/', L322: 'http://100.64.0.1/',
High
Cloud Metadata Access

Source reaches cloud instance metadata or link-local credential endpoints.

server/lib/preview/proxy-runtime.test.js#virtual:normalized:round1View on unpkg · L17
dist/assets/vendor-.bun-C6iL44L9.jsView file
path = dist/assets/vendor-.bun-C6iL44L9.js kind = oversized_source_file sizeBytes = 17177628 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/assets/vendor-.bun-C6iL44L9.jsView on unpkg

Findings

8 High5 Medium7 Low
HighChild Processbin/cli.test.js
HighShellbin/lib/cli-startup.js
HighEntrypoint Build Divergenceserver/index.js
HighSame File Env Network Executionserver/lib/opencode/lifecycle.js
HighSandbox Evasion Gated Capabilityserver/lib/cloudflare-tunnel.js
HighCloud Metadata Accessserver/lib/preview/proxy-runtime.test.js#virtual:normalized:round1
HighOversized Source Filedist/assets/vendor-.bun-C6iL44L9.js
HighPrevious Version Dangerous Deltaserver/index.js
MediumDynamic Requirebin/lib/commands-serve.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencebin/lib/cli-startup.js
MediumStructural Risk Force Deep Review
LowScripts Present
LowWeak Cryptoserver/lib/opencode/settings-runtime.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings
LowNo License