registry  /  @ownware/cortex  /  0.2.0

@ownware/cortex@0.2.0

The Ownware kernel & gateway — profiles, threads, HTTP+SSE gateway, credential vault, and the `ownware` CLI.

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 15 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 314 file(s), 2.91 MB of source, external domains: 127.0.0.1, accounts.google.com, api.anthropic.com, api.github.com, api.groq.com, api.notion.com, api.openai.com, api.search.brave.com, api.slack.com, avatars.githubusercontent.com, backend.composio.dev, console.cloud.google.com, dashboard.stripe.com, developer.microsoft.com, developers.google.com, developers.hubspot.com, docs.mixpanel.com, duckduckgo.com, entra.microsoft.com, fonts.googleapis.com, generativelanguage.googleapis.com, gist.github.com, github.com, gitlab.com, linear.app, login.microsoftonline.com, mcp.atlassian.com, mcp.figma.com, mcp.mixpanel.com, oauth2.googleapis.com, openrouter.ai, perplexity.ai, platform.composio.dev, raw.githubusercontent.com, registry.modelcontextprotocol.io, search.brave.com, slack.com, tavily.com, www.figma.com, www.googleapis.com, www.notion.so

Source & flagged code

6 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/fix-node-pty-permissions.mjs && node scripts/ensure-ripgrep-binary.mjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/fix-node-pty-permissions.mjs && node scripts/ensure-ripgrep-binary.mjs
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
dist/cli/channel.jsView file
23try { L24: return (await import(specifier)); L25: }
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/cli/channel.jsView on unpkg · L23
dist/gateway/handlers/catalog.jsView file
98return async function catalogHandler(req, res) { L99: const url = new URL(req.url ?? '/', `http://${req.headers.host ?? 'localhost'}`); L100: // Parse + Zod-validate query params. `featured` is a tri-state ... L159: res.writeHead(304, { ETag: etag }); L160: res.end(); L161: return;
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/gateway/handlers/catalog.jsView on unpkg · L98
dist/terminal/shell-integration.jsView file
10* ESC ] 633 ; C ; <nonce> BEL command start (pre-exec) L11: * ESC ] 633 ; D ; <nonce> ; <code> BEL command finished + exit code (precmd) L12: * ... L67: `; L68: // .zshrc — source the user's config, THEN install our hooks + clean prompt so we L69: // win over whatever the user set. Markers use printf octal escapes (\033 ESC, ... L120: export function prepareShellIntegration(opts) { L121: const processEnv = opts.processEnv ?? process.env; L122: const shell = opts.shell ?? processEnv['SHELL'] ?? '';
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/terminal/shell-integration.jsView on unpkg · L10
dist/gateway/auth/principal-middleware.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @ownware/cortex@0.1.0 matchedIdentity = npm:QG93bndhcmUvY29ydGV4:0.1.0 similarity = 0.800 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/gateway/auth/principal-middleware.jsView on unpkg

Findings

2 High6 Medium7 Low
HighInstall Time Lifecycle Scriptspackage.json
HighPrevious Version Dangerous Deltadist/gateway/auth/principal-middleware.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requiredist/cli/channel.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/terminal/shell-integration.js
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowWeak Cryptodist/gateway/handlers/catalog.js
LowFilesystem
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings