registry  /  @openchamber/web  /  1.13.8

@openchamber/web@1.13.8

[![GitHub stars](https://img.shields.io/github/stars/btriapitsyn/openchamber?style=flat&logo=data%3Aimage%2Fsvg%2Bxml%3Bbase64%2CPHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHdpZHRoPSIzMiIgaGVpZ2h0PSIzMiIgZmlsbD0iI2YxZWNlYyIgdmlld0JveD0iMCAwIDI1Ni

Static Scan Results

scanned 4d ago · by rust-scanner

Static analysis flagged 23 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNativeBindingsNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedObfuscatedTelemetryUrlStrings
Manifest
NoLicense
scanned 571 file(s), 17.7 MB of source, external domains: 10.0.0.5, 100.64.0.1, 127.0.0.1, 169.254.169.254, 172.16.9.9, 192.168.1.1, api.anthropic.com, api.github.com, api.kimi.com, api.minimax.io, api.minimaxi.com, api.ngrok.com, api.openchamber.dev, api.trycloudflare.com, api.z.ai, api2.cursor.sh, autopush-cloudcode-pa.sandbox.googleapis.com, cdn.example.com, cdn.jsdelivr.net, chatgpt.com, clawdhub.com, cloudcode-pa.googleapis.com, cloudflare.example, daily-cloudcode-pa.sandbox.googleapis.com, demo.ngrok-free.app, developers.cloudflare.com, discord.gg, docs.openchamber.dev, emscripten.org, example.com, github.com, huggingface.co, mcp.example.com, models.dev, my-server.com, my-tts-server.example.com, nano-gpt.com, ngrok.com, oauth2.googleapis.com, ollama.com, open.bigmodel.cn, openchamber-preview.local, openchamber.dev, openchamber.example.com, opencode.ai, openrouter.ai, pass.wafer.ai, raw.githubusercontent.com, registry.npmjs.org, service.local
Oversized source lightweight scan
dist/assets/useAppFontEffects-DvSI3H9F.js2.82 MB file, sampled 256 KB
FilesystemHighEntropyStringsMinifiedUrlStringscdn.jsdelivr.netmodels.dev
dist/assets/vendor-.bun-0Jr9pq9K.js17.8 MB file, sampled 256 KB
FilesystemNetworkChildProcessObfuscatedHighEntropyStringsMinified

Source & flagged code

13 flagged · loading source
bin/cli.test.jsView file
6import net from 'net'; L7: import { spawn } from 'child_process'; L8: import { pathToFileURL } from 'url';
High
Child Process

Package source references child process execution.

bin/cli.test.jsView on unpkg · L6
bin/lib/cli-startup.jsView file
52L53: function powershellQuote(value) { L54: return `'${String(value).replace(/'/g, "''")}'`;
High
Shell

Package source references shell execution.

bin/lib/cli-startup.jsView on unpkg · L52
3import path from 'path'; L4: import { spawnSync } from 'child_process'; L5: import { DEFAULT_PORT } from './cli-args.js'; ... L13: function getStartupServicePaths() { L14: if (process.platform === 'darwin') { L15: return { L16: platform: 'macos', L17: servicePath: path.join(os.homedir(), 'Library', 'LaunchAgents', `${STARTUP_SERVICE_ID}.plist`), L18: }; ... L78: const env = options.envSnapshot === false ? {} : Object.fromEntries( L79: Object.entries(process.env) L80: .filter(([key, value]) => shouldPersistStartupEnv(key, value))
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

bin/lib/cli-startup.jsView on unpkg · L3
dist/assets/wasmSttWorker-Bv3ywl_v.jsView file
1function _mergeNamespaces(d,t){return t.forEach(function(i){i&&typeof i!="string"&&!Array.isArray(i)&&Object.keys(i).forEach(function(s){if(s!=="default"&&!(s in d)){var l=Object.g... L2: `),N=S=>_.writeSync(2,S+` L3: `));var D,I=n.print||B,F=n.printErr||N;Object.assign(n,w),w=null,n.thisProgram&&(T=n.thisProgram),n.quit&&(x=n.quit),n.wasmBinary&&(D=n.wasmBinary);var K=n.noExitRuntime||!1;typeof... L4: `},"%p":function(H){return 0<=H.dc&&12>H.dc?"AM":"PM"},"%S":function(H){return q(H.Lc,2)},"%t":function(){return" "},"%u":function(H){return H.Tb||7},"%U":function(H){return q(Math... L5: `},"%p":function(W){return 0<=W.Gb&&12>W.Gb?"AM":"PM"},"%S":function(W){return Y(W.$b,2)},"%t":function(){return" "},"%u":function(W){return W.Ab||7},"%U":function(W){return Y(Math... L6: vec2 offsetToCoords(int offset, int width, int height) { ... L1785: ${u}`);return r}deleteShader(u){this.gl.deleteShader(u)}bindTextureToUniform(u,n,e){const r=this.gl;r.activeTexture(r.TEXTURE0+n),this.checkError(),r.bindTexture(r.TEXTURE_2D,u),th... L1786: `},1670:d=>{d.exports=__WEBPACK_EXTERNAL_MODULE__1670__},7067:()=>{},1296:()=>{},1384:()=>{},3993:()=>{},908:()=>{},6953:()=>{},9925:()=>{},2806:()=>{},644
High
Obfuscated Payload Loader

Source contains an obfuscator-style string-array loader that reconstructs and executes hidden code.

dist/assets/wasmSttWorker-Bv3ywl_v.jsView on unpkg · L1
4`},"%p":function(H){return 0<=H.dc&&12>H.dc?"AM":"PM"},"%S":function(H){return q(H.Lc,2)},"%t":function(){return" "},"%u":function(H){return H.Tb||7},"%U":function(H){return q(Math... L5: `},"%p":function(W){return 0<=W.Gb&&12>W.Gb?"AM":"PM"},"%S":function(W){return Y(W.$b,2)},"%t":function(){return" "},"%u":function(W){return W.Ab||7},"%U":function(W){return Y(Math... L6: vec2 offsetToCoords(int offset, int width, int height) {
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/assets/wasmSttWorker-Bv3ywl_v.jsView on unpkg · L4
bin/lib/commands-serve.jsView file
189L190: const { startWebUiServer } = await import(pathToFileURL(serverPath).href); L191: const controller = await startWebUiServer({
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/lib/commands-serve.jsView on unpkg · L189
server/lib/opencode/settings-runtime.jsView file
68const raw = await fsPromises.readFile(filePath, 'utf8'); L69: const parsed = JSON.parse(raw); L70: return parsed && typeof parsed === 'object' ? parsed : null; ... L443: const isTransientWindowsReplaceError = (error) => { L444: if (process.platform !== 'win32' || !error || typeof error !== 'object') { L445: return false;
Low
Weak Crypto

Package source references weak cryptographic algorithms.

server/lib/opencode/settings-runtime.jsView on unpkg · L68
server/index.jsView file
4Manifest entrypoint (manifest.main) carries capability families absent from dist/build output: environment+network, execution+network L4: import path from 'path'; L5: import { spawn, spawnSync } from 'child_process'; L6: import fs from 'fs'; L7: import http from 'http'; L8: import net from 'net'; ... L90: const __filename = fileURLToPath(import.meta.url); L91: const __dirname = path.dirname(__filename); L92: ... L163: try { L164: const packagePath = path.resolve(__dirname, '..', 'package.json'); L165: const raw = fs.readFileSync(packagePath, 'utf8'); L166: const pkg = JSON.parse(raw);
High
Entrypoint Build Divergence

Manifest entrypoint contains risky behavior absent from dist/build output.

server/index.jsView on unpkg · L4
server/lib/opencode/lifecycle.jsView file
1import { spawn, spawnSync } from 'node:child_process'; L2: import net from 'node:net'; L3: import { registerManagedProcess, unregisterManagedProcess, reapOrphanedProcesses } from './managed-process-registry.js'; ... L9: L10: const HEALTH_CHECK_TIMEOUT_MS = parsePositiveInt(process.env.OPENCHAMBER_OPENCODE_HEALTH_TIMEOUT_MS, 5000); L11: const HEALTH_CHECK_MAX_CONSECUTIVE_FAILURES = parsePositiveInt(
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

server/lib/opencode/lifecycle.jsView on unpkg · L1
server/lib/cloudflare-tunnel.jsView file
1import { spawn, spawnSync } from 'child_process'; L2: import fs from 'fs'; ... L12: const __filename = fileURLToPath(import.meta.url); L13: const __dirname = path.dirname(__filename); L14: ... L34: if (result.status === 0) { L35: return { available: true, path: target.command, version: result.stdout.trim() }; L36: } ... L44: function [redacted]() { L45: const platform = process.platform; L46: let installCmd = ''; ... L52: } else {
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

server/lib/cloudflare-tunnel.jsView on unpkg · L1
server/lib/preview/proxy-runtime.test.js#virtual:normalized:round1View file
17proxyBasePath: '/api/preview/proxy/abc123', L18: targetOrigin: 'http://127.0.0.1:3000', L19: }); ... L314: L315: it('refuses private, loopback and link-local literals on the external path', () => { L316: for (const url of [ ... L320: 'http://192.168.1.1/', L321: 'http://169.254.169.254/latest/meta-data/', L322: 'http://100.64.0.1/',
High
Cloud Metadata Access

Source reaches cloud instance metadata or link-local credential endpoints.

server/lib/preview/proxy-runtime.test.js#virtual:normalized:round1View on unpkg · L17
dist/assets/ibm-plex-sans-latin-600-normal-CuJfVYMP.woff2View file
path = dist/assets/ibm-plex-sans-latin-600-normal-CuJfVYMP.woff2 kind = high_entropy_blob sizeBytes = 24252 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

dist/assets/ibm-plex-sans-latin-600-normal-CuJfVYMP.woff2View on unpkg
dist/assets/vendor-.bun-0Jr9pq9K.jsView file
path = dist/assets/vendor-.bun-0Jr9pq9K.js kind = oversized_source_file sizeBytes = 18656835 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/assets/vendor-.bun-0Jr9pq9K.jsView on unpkg

Findings

9 High5 Medium9 Low
HighChild Processbin/cli.test.js
HighShellbin/lib/cli-startup.js
HighEntrypoint Build Divergenceserver/index.js
HighSame File Env Network Executionserver/lib/opencode/lifecycle.js
HighSandbox Evasion Gated Capabilityserver/lib/cloudflare-tunnel.js
HighCloud Metadata Accessserver/lib/preview/proxy-runtime.test.js#virtual:normalized:round1
HighObfuscated Payload Loaderdist/assets/wasmSttWorker-Bv3ywl_v.js
HighShips High Entropy Blobdist/assets/ibm-plex-sans-latin-600-normal-CuJfVYMP.woff2
HighOversized Source Filedist/assets/vendor-.bun-0Jr9pq9K.js
MediumDynamic Requirebin/lib/commands-serve.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencebin/lib/cli-startup.js
MediumStructural Risk Force Deep Review
LowScripts Present
LowEvaldist/assets/wasmSttWorker-Bv3ywl_v.js
LowWeak Cryptoserver/lib/opencode/settings-runtime.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings
LowNo License