registry  /  @ottocode/sdk  /  0.1.338

@ottocode/sdk@0.1.338

AI agent SDK for building intelligent assistants - tree-shakable and comprehensive

Static Scan Results

scanned 9d ago · by rust-scanner

Static analysis flagged 9 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 158 file(s), 970 KB of source, external domains: accounts.x.ai, ai.google.dev, api-docs.deepseek.com, api.anthropic.com, api.deepseek.com, api.github.com, api.githubcopilot.com, api.kimi.com, api.minimax.io, api.moonshot.ai, api.openai.com, api.ottorouter.org, api.z.ai, auth.kimi.com, auth.openai.com, auth.x.ai, chatgpt.com, cli-chat-proxy.grok.com, docs.anthropic.com, docs.baseten.co, docs.github.com, docs.ollama.com, docs.wafer.ai, docs.x.ai, docs.z.ai, github.com, html.duckduckgo.com, huggingface.co, inference.baseten.co, ollama.com, opencode.ai, openrouter.ai, ottocode.io, ottorouter.org, pass.wafer.ai, platform.claude.com, platform.kimi.ai, platform.minimax.io, platform.openai.com, raw.githubusercontent.com, router.huggingface.co

Source & flagged code

2 flagged · loading source
src/config/src/paths.tsView file
270L271: async function loadFsPromises(): Promise<typeof import('node:fs/promises')> { L272: return Function('specifier', 'return import(specifier)')('node:fs/promises');
Medium
Dynamic Require

Package source references dynamic require/import behavior.

src/config/src/paths.tsView on unpkg · L270
src/auth/src/oauth.tsView file
1import { spawn } from 'node:child_process'; L2: import { randomBytes, createHash } from 'node:crypto'; ... L5: const CLAUDE_CLI_VERSION = '1.0.61'; L6: const OAUTH_TOKEN_ENDPOINT = 'https://platform.claude.com/v1/oauth/token'; L7: const OAUTH_REDIRECT_URI = 'https://platform.claude.com/oauth/code/callback'; ... L12: function generatePKCE() { L13: // Generate random verifier (43-128 characters, base64url encoded) L14: const verifier = randomBytes(32) ... L31: async function openBrowser(url: string) { L32: const platform = process.platform; L33: let command: string; ... L51: if (code === 0) resolve();
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

src/auth/src/oauth.tsView on unpkg · L1

Findings

1 High4 Medium4 Low
HighSandbox Evasion Gated Capabilitysrc/auth/src/oauth.ts
MediumDynamic Requiresrc/config/src/paths.ts
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings