registry  /  @oyasmi/pipiclaw  /  0.7.2

@oyasmi/pipiclaw@0.7.2

An AI assistant runtime for coding and team workflows, with DingTalk AI Cards, sub-agents, memory, and scheduled events.

Static Scan Results

scanned 7d ago · by rust-scanner

Static analysis flagged 12 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
CopyleftLicense
scanned 106 file(s), 636 KB of source, external domains: 127.0.0.1, api.dingtalk.com, api.search.brave.com, api.tavily.com, html.duckduckgo.com, r.jina.ai, s.jina.ai

Source & flagged code

3 flagged · loading source
dist/memory/files.jsView file
1import { createHash, randomBytes } from "crypto"; L2: import { existsSync, mkdirSync, writeFileSync } from "fs";
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/memory/files.jsView on unpkg · L1
dist/security/network.jsView file
1import { lookup } from "node:dns/promises"; L2: import { isIP } from "node:net"; ... L14: const BLOCKED_HOSTS = new Set(["localhost", "metadata.google.internal", "metadata", "169.254.169.254"]); L15: const PRIVATE_IPV4_CIDRS = [ L16: "0.0.0.0/8",
High
Cloud Metadata Access

Source reaches cloud instance metadata or link-local credential endpoints.

dist/security/network.jsView on unpkg · L1
dist/agent/channel-runner.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @oyasmi/pipiclaw@0.7.1 matchedIdentity = npm:QG95YXNtaS9waXBpY2xhdw:0.7.1 similarity = 0.935 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/agent/channel-runner.jsView on unpkg

Findings

2 High3 Medium7 Low
HighCloud Metadata Accessdist/security/network.js
HighPrevious Version Dangerous Deltadist/agent/channel-runner.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowWeak Cryptodist/memory/files.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowCopyleft License