registry  /  @parall/parall  /  1.43.0

@parall/parall@1.43.0

⚠ Under review

OpenClaw channel plugin for Parall IM

Static Scan Results

scanned 5h ago · by rust-scanner

Static analysis flagged 9 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsEvalFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStrings
ManifestNo manifest risk signals triggered.
scanned 29 file(s), 1.66 MB of source

Source & flagged code

3 flagged · loading source
dist/index.bundle.mjsView file
122var _a; L123: const api = _global[GLOBAL_OPENTELEMETRY_API_KEY] = (_a = _global[GLOBAL_OPENTELEMETRY_API_KEY]) !== null && _a !== void 0 ? _a : { L124: version: VERSION
High
Obfuscated Payload Loader

Source contains an obfuscator-style string-array loader that reconstructs and executes hidden code.

dist/index.bundle.mjsView on unpkg · L122
6586try { L6587: var mod = eval("quire".replace(/^/, "re"))(moduleName); L6588: if (mod && (mod.length || Object.keys(mod).length))
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/index.bundle.mjsView on unpkg · L6586
dist/gateway.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @parall/parall@1.42.1 matchedIdentity = npm:QHBhcmFsbC9wYXJhbGw:1.42.1 similarity = 0.786 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/gateway.jsView on unpkg

Findings

1 Critical1 High3 Medium4 Low
CriticalPrevious Version Dangerous Deltadist/gateway.js
HighObfuscated Payload Loaderdist/index.bundle.mjs
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowEvaldist/index.bundle.mjs
LowFilesystem
LowHigh Entropy Strings