registry  /  @orchid-labs/pluxx  /  0.1.29

@orchid-labs/pluxx@0.1.29

Build AI agent plugins once. Prime-time on Claude Code, Cursor, Codex, and OpenCode, with beta generators for additional hosts.

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 15 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsObfuscatedTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 3 file(s), 2.57 MB of source, external domains: ampcode.com, api.firecrawl.dev, code.claude.com, cursor.com, developers.openai.com, docs.cline.bot, docs.example.com, docs.openhands.dev, docs.roocode.com, docs.warp.dev, dom.spec.whatwg.org, example.com, geminicli.com, github.com, lists.w3.org, mathiasbynens.be, mcp.linear.app, opencode.ai, tools.ietf.org, trac.webkit.org, url.spec.whatwg.org, www.ibm.com, www.w3.org, www.whatwg.org

Source & flagged code

4 flagged · loading source
dist/cli/index.jsView file
32924patternName = generic_password severity = medium line = 32924 matchedText = password...d]",
Medium
Secret Pattern

Package contains a possible secret pattern.

dist/cli/index.jsView on unpkg · L32924
dist/index.jsView file
9075import { resolve as resolve2 } from "path"; L9076: import { spawnSync } from "child_process"; L9077: import { tmpdir } from "os";
High
Child Process

Package source references child process execution.

dist/index.jsView on unpkg · L9075
66Cross-file remote execution chain: dist/index.js spawns dist/cli/index.js; helper contains network access plus dynamic code execution. L66: const e2 = __require("node:os"); L67: var t2 = [509, 0, 227, 0, 150, 4, 294, 9, 1368, 2, 2, 1, 6, 3, 41, 2, 5, 0, 166, 1, 574, 3, 9, 9, 7, 9, 32, 4, 318, 1, 80, 3, 71, 10, 50, 3, 123, 2, 54, 14, 32, 10, 3, 1, 11, 3, 46... L68: function isInAstralSet(e3, t3) { ... L75: function isIdentifierStart(e3, t3) { L76: return e3 < 65 ? 36 === e3 : e3 < 91 || (e3 < 97 ? 95 === e3 : e3 < 123 || (e3 <= 65535 ? e3 >= 170 && c.test(String.fromCharCode(e3)) : false !== t3 && isInAstralSet(e3, s))); L77: } ... L2157: function pathe_M_eThtNZ_cwd() { L2158: return "undefined" != typeof process && "function" == typeof process.cwd ? process.cwd().replace(/\\/g, "/") : "/"; L2159: } ... L2333: const { ERR_UNKNOWN_FILE_EXTENSION: Ue } = Te, Me = {}.hasOwnProperty, je = { __proto__: null, ".cjs": "commonjs", ".js": "module", ".json": "json", ".mjs": "module" }; L2334: const Fe = { __proto__: null, "data:": function(e3) { L2335: const { 1: t3 } = /^([^/]+\/[^;,]+)[^,]*?(;base64)?,/.exec(e3.pathname) || [null, null, null];
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/index.jsView on unpkg · L66
bin/pluxx.jsView file
16L17: const cli = await import(pathToFileURL(cliPath).href) L18: if (typeof cli.main !== 'function') {
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/pluxx.jsView on unpkg · L16

Findings

3 High5 Medium7 Low
HighChild Processdist/index.js
HighShell
HighCross File Remote Execution Contextdist/index.js
MediumSecret Patterndist/cli/index.js
MediumDynamic Requirebin/pluxx.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings