registry  /  @parall/daemon  /  1.37.0

@parall/daemon@1.37.0

Parall local agent runtime — daemon supervisor + bridge runtimes, bundled as standalone JS files

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 17 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsEvalFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 39 file(s), 7.37 MB of source, external domains: 127.0.0.1, 169.254.169.254, 169.254.170.2, a.co, api.parall.com, api.pinixai.com, aws.amazon.com, bun.sh, docs.aws.amazon.com, github.com, pinix-blobs-1251447449.cos.ap-beijing.myqcloud.com, portal.sso, portal.sso-fips, react-native.canny.io, releases.parall.com, releases.staging.prll.sh, s3-fips.dualstack, s3-fips.dualstack.us-east-1, s3-fips.us-east-1, s3.amazonaws.com, s3.dualstack, s3.dualstack.us-east-1, s3express-control-fips.dualstack, s3express-control.dualstack, storage.googleapis.com, sts.amazonaws.com, www.apple.com, www.w3.org, x.com

Source & flagged code

10 flagged · loading source
dist/clip-runtime/browser-state-store.jsView file
32*/ L33: import { spawn } from 'node:child_process'; L34: import { createHash } from 'node:crypto';
High
Child Process

Package source references child process execution.

dist/clip-runtime/browser-state-store.jsView on unpkg · L32
dist/cli.jsView file
96Environment=PRLL_DAEMON_MANAGED=1 L97: ExecStart=/bin/sh -c 'OVERLAY="$HOME/.parall-daemon/bundle/current/parall-daemon.js"; if [ -f "$OVERLAY" ]; then exec node "$OVERLAY"; else exec ${daemonBin}; fi' L98: Restart=always
High
Shell

Package source references shell execution.

dist/cli.jsView on unpkg · L96
1import { execSync, spawn } from 'node:child_process'; L2: import * as fs from 'node:fs'; ... L10: try { L11: return JSON.parse(fs.readFileSync(CONFIG_PATH, 'utf-8')); L12: } ... L22: function prompt(question) { L23: const rl = readline.createInterface({ input: process.stdin, output: process.stdout }); L24: return new Promise((resolve) => { ... L31: function isMacOS() { L32: return process.platform === 'darwin'; L33: } ... L38: function plistPath() {
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/cli.jsView on unpkg · L1
bundle/parall-claude-agent.jsView file
6587try { L6588: var mod = eval("quire".replace(/^/, "re"))(moduleName); L6589: if (mod && (mod.length || Object.keys(mod).length))
Low
Eval

Package source references a known benign dynamic code generation pattern.

bundle/parall-claude-agent.jsView on unpkg · L6587
bundle/bb-browser-daemon.jsView file
50kStatusCode: Symbol("status-code"), L51: kWebSocket: Symbol("websocket"), L52: NOOP: () => { ... L103: } else { L104: buf = Buffer.from(data); L105: toBuffer.readOnly = false; ... L115: }; L116: if (!process.env.WS_NO_BUFFER_UTIL) { L117: try { ... L167: * L168: * @private L169: */
Low
Weak Crypto

Package source references weak cryptographic algorithms.

bundle/bb-browser-daemon.jsView on unpkg · L50
bundle/parall-daemon.jsView file
45Manifest entrypoint (manifest.main) carries capability families absent from dist/build output: environment+network, sensitive-file+network, execution+network L45: function resolvePath(value) { L46: return path.isAbsolute(value) ? value : path.resolve(process.cwd(), value); L47: } L48: function daemonConfigDir(env = process.env) { L49: const override = env.PRLL_DAEMON_CONFIG_DIR?.trim(); ... L202: USER: (id) => `${API_BASE}/users/${id}`, L203: // WebSocket ticket L204: WS_TICKET: `${API_BASE}/ws/ticket`, ... L418: WIKI_PATH_SCOPE: (orgId, wikiId, scopeId) => `${WIKI_BASE}/orgs/${orgId}/wikis/${wikiId}/path-scopes/${scopeId}`, L419: // Wiki Path Restrictions (AFCS narrowing ACL — private subtrees) L420: WIKI_RESTRICTIONS: (orgId, wikiId) => `${WIKI_BASE}/orgs/${orgId}/wikis/${wikiId}/restrictions`, ... L495: CLIP: (orgId, clipId) => `${CLIP_BASE}/orgs/${orgId}/clips/${clipId}`,
High
Entrypoint Build Divergence

Manifest entrypoint contains risky behavior absent from dist/build output.

bundle/parall-daemon.jsView on unpkg · L45
2796var _a; L2797: const api = _global[GLOBAL_OPENTELEMETRY_API_KEY] = (_a = _global[GLOBAL_OPENTELEMETRY_API_KEY]) !== null && _a !== void 0 ? _a : { L2798: version: VERSION
High
Obfuscated Payload Loader

Source contains an obfuscator-style string-array loader that reconstructs and executes hidden code.

bundle/parall-daemon.jsView on unpkg · L2796
dist/clip-runtime/bun-resolver.jsView file
24import * as path from 'node:path'; L25: import { execFileSync } from 'node:child_process'; L26: export function findBunBinary() { L27: const isWindows = process.platform === 'win32'; L28: const binName = isWindows ? 'bun.exe' : 'bun'; ... L35: const candidates = [ L36: path.join(process.env.HOME || '', '.bun', 'bin', 'bun'), L37: '/usr/local/bin/bun', ... L56: } L57: throw new Error('bun binary not found — install Bun (https://bun.sh) or set bunPath option'); L58: }
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/clip-runtime/bun-resolver.jsView on unpkg · L24
bundle/parall-browser-pod.jsView file
342if (version && !state.warningEmitted) { L343: if (process.env.AWS_SDK_JS_NODE_VERSION_SUPPORT_WARNING_DISABLED === "true") { L344: state.warningEmitted = true; ... L357: L358: More information can be found at: https://a.co/c895JFp`); L359: } ... L879: } L880: return buffer.Buffer.from(input, offset, length); L881: }; ... L1508: stream.on("error", (err) => { L1509: collector.end(); L1510: reject(err);
High
Cloud Metadata Access

Source reaches cloud instance metadata or link-local credential endpoints.

bundle/parall-browser-pod.jsView on unpkg · L342
dist/clip-runtime/browser-profile-manager.jsView file
1Cross-file remote execution chain: dist/clip-runtime/browser-profile-manager.js spawns bundle/bb-browser-daemon.js; helper contains network access plus dynamic code execution. L1: import { spawn } from 'node:child_process'; L2: import { randomBytes } from 'node:crypto'; ... L209: try { L210: await this.post('/shutdown', d, undefined, 3_000); L211: } ... L468: if (this.daemon && L469: this.daemon.child.exitCode === null && L470: this.daemon.child.signalCode === null) { ... L597: ], { L598: env: buildBrowserDaemonEnv(process.env, this.opts.homeDir), L599: stdio: ['ignore', 'ignore', 'pipe'], ... L608: child.stderr?.on('data', (chunk) => {
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/clip-runtime/browser-profile-manager.jsView on unpkg · L1

Findings

7 High4 Medium6 Low
HighChild Processdist/clip-runtime/browser-state-store.js
HighShelldist/cli.js
HighEntrypoint Build Divergencebundle/parall-daemon.js
HighSandbox Evasion Gated Capabilitydist/clip-runtime/bun-resolver.js
HighCloud Metadata Accessbundle/parall-browser-pod.js
HighObfuscated Payload Loaderbundle/parall-daemon.js
HighCross File Remote Execution Contextdist/clip-runtime/browser-profile-manager.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/cli.js
MediumStructural Risk Force Deep Review
LowScripts Present
LowEvalbundle/parall-claude-agent.js
LowWeak Cryptobundle/bb-browser-daemon.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings