registry  /  @origintrail-official/dkg  /  10.0.2

@origintrail-official/dkg@10.0.2

Command-line interface and daemon for DKG V10. This is the main entry point for running a DKG node — it manages the node lifecycle, exposes a local HTTP API, and provides commands for publishing, querying, and interacting with the network.

Static Scan Results

scanned 8d ago · by rust-scanner

Static analysis flagged 16 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 145 file(s), 2.23 MB of source, external domains: 127.0.0.1, api.github.com, api.openai.com, basescan.org, discord.com, dkg.io, etherscan.io, example.com, github.com, java.sun.com, ontology.dkg.io, raw.githubusercontent.com, registry.npmjs.org, schema.org, sepolia.basescan.org, sepolia.etherscan.io, telemetry-testnet.origintrail.io, telemetry.origintrail.io, www.npmjs.com, www.w3.org

Source & flagged code

9 flagged · loading source
package.jsonView file
scripts.postinstall = node ./scripts/bundle-markitdown-binaries.mjs --quiet --current-platform --best-effort
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node ./scripts/bundle-markitdown-binaries.mjs --quiet --current-platform --best-effort
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
dist/cli-supervisor.jsView file
1import { spawn } from 'node:child_process'; L2: import { existsSync } from 'node:fs';
High
Child Process

Package source references child process execution.

dist/cli-supervisor.jsView on unpkg · L1
85}); L86: const child = spawn(process.execPath, [...process.execArgv, resolveDaemonEntryPoint(), 'daemon-worker'], { L87: stdio: ['ignore', 'ignore', 'ignore'],
High
Shell

Package source references shell execution.

dist/cli-supervisor.jsView on unpkg · L85
dist/commands/hermes.jsView file
4async function importHermesAdapterModule() { L5: const dynamicImport = new Function('specifier', 'return import(specifier)'); L6: return dynamicImport('@origintrail-official/dkg-adapter-hermes');
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/commands/hermes.jsView on unpkg · L4
dist/source-worker-runner.jsView file
58// handlerModule is trusted operator code selected by the sensitive worker config. L59: const namespace = await import(pathToFileURL(config.handlerModule).href); L60: const candidate = config.handlerExport
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/source-worker-runner.jsView on unpkg · L58
dist/daemon/manifest.jsView file
10import { chmod, copyFile, mkdir, readFile, readdir, rename, rm, stat, unlink, writeFile, } from 'node:fs/promises'; L11: import { execSync, exec, execFile } from 'node:child_process'; L12: import { promisify } from 'node:util'; ... L69: try { L70: const pkgJsonPath = daemonRequire.resolve('@origintrail-official/dkg-mcp/package.json'); L71: const packageDir = dirname(pkgJsonPath); ... L115: const raw = readFileSync(pkgJsonPath, 'utf8'); L116: const parsed = JSON.parse(raw); L117: if (typeof parsed.version === 'string' && parsed.version.length > 0) ... L249: /** L250: * Format a `host:port` pair safely for an `http://` URL, including the L251: * IPv6-literal bracket rules from RFC-3986 §3.2.2 (`[::1]:9201`, not
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/daemon/manifest.jsView on unpkg · L10
scripts/swm-triple-volume-benchmark.cjsView file
6const { createInterface } = require('node:readline'); L7: const { execFileSync } = require('node:child_process'); L8: ... L12: const DEFAULT_PREDICATE_BASE = 'urn:dkg:benchmark:swm-triple-volume:p'; L13: const DKG_ONTOLOGY = 'http://dkg.io/ontology/'; L14: const INVOCATION_CWD = process.env.INIT_CWD || process.cwd(); L15: const FAILURE_PATTERNS = [
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

scripts/swm-triple-volume-benchmark.cjsView on unpkg · L6
scripts/markitdown-entry.pyView file
path = scripts/markitdown-entry.py kind = build_helper sizeBytes = 873 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

scripts/markitdown-entry.pyView on unpkg

Findings

4 High6 Medium6 Low
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processdist/cli-supervisor.js
HighShelldist/cli-supervisor.js
HighSame File Env Network Executionscripts/swm-triple-volume-benchmark.cjs
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requiredist/source-worker-runner.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperscripts/markitdown-entry.py
MediumStructural Risk Force Deep Review
LowScripts Present
LowEvaldist/commands/hermes.js
LowWeak Cryptodist/daemon/manifest.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings