registry  /  @opencoven/coven-code  /  0.6.1

@opencoven/coven-code@0.6.1

Open-source agentic coding TUI for the terminal — OpenCoven fork of Claurst

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 9 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoFilesystemNetwork
Supply chain
UrlStrings
Manifest
CopyleftLicense
scanned 1 file(s), 5.02 KB of source, external domains: github.com

Source & flagged code

3 flagged · loading source
package.jsonView file
scripts.postinstall = node install.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node install.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
install.jsView file
3L4: const https = require('https'); L5: const fs = require('fs'); ... L8: const crypto = require('crypto'); L9: const { execFileSync } = require('child_process'); L10: L11: const pkg = require('./package.json'); L12: const checksums = require('./checksums.json'); ... L15: const BASE_URL = `https://github.com/${REPO}/releases/download/v${VERSION}`; L16: const NATIVE_DIR = path.join(__dirname, 'native'); L17: L18: function getPlatform() {
High
Install Named Payload File

Install-named source file stages remote content through filesystem writes and execution.

install.jsView on unpkg · L3

Findings

2 High3 Medium4 Low
HighInstall Time Lifecycle Scriptspackage.json
HighInstall Named Payload Fileinstall.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowUrl Strings
LowCopyleft License