registry  /  @pellux/goodvibes-sdk  /  0.38.0

@pellux/goodvibes-sdk@0.38.0

TypeScript SDK for building GoodVibes operator, peer, web, mobile, and daemon-connected apps with typed contracts, auth, realtime events, and transport layers.

Static Scan Results

scanned 7h ago · by rust-scanner

Static analysis flagged 15 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNativeBindingsNetworkShell
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 1,309 file(s), 7.92 MB of source, external domains: 127.0.0.1, ai-gateway.vercel.sh, aihubmix.com, aiplatform.eu.rep.googleapis.com, aiplatform.googleapis.com, aiplatform.us.rep.googleapis.com, api-inference.huggingface.co, api.anthropic.com, api.botframework.com, api.cerebras.ai, api.cohere.com, api.deepgram.com, api.deepinfra.com, api.deepseek.com, api.dev.runwayml.com, api.duckduckgo.com, api.elevenlabs.io, api.exa.ai, api.firecrawl.dev, api.fireworks.ai, api.github.com, api.groq.com, api.inceptionlabs.ai, api.individual.githubcopilot.com, api.llm7.io, api.minimax.io, api.mistral.ai, api.moonshot.ai, api.openai.com, api.perplexity.ai, api.search.brave.com, api.stepfun.ai, api.tavily.com, api.telegram.org, api.together.xyz, api.twilio.com, api.venice.ai, api.x.ai, api.xiaomimimo.com, api.z.ai, api.zeroeval.com, ark.ap-southeast.bytepluses.com, ark.cn-beijing.volces.com, auth.openai.com, bluebubbles.example.test, chatgpt.com, companion.example.com, dashscope-intl.aliyuncs.com, discord.com, docs.example.com

Source & flagged code

8 flagged · loading source
dist/platform/security/user-auth.jsView file
175patternName = generic_password severity = medium line = 175 matchedText = password...th);
Medium
Secret Pattern

Package contains a possible secret pattern.

dist/platform/security/user-auth.jsView on unpkg · L175
dist/platform/tools/read/media.jsView file
259// eslint-disable-next-line @typescript-eslint/no-implied-eval, no-new-func L260: const dynamicImport = new Function('specifier', 'return import(specifier)'); L261: const mod = await dynamicImport('sharp');
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/platform/tools/read/media.jsView on unpkg · L259
dist/client-auth/android-keystore-token-store.jsView file
35try { L36: _mod = (await import(REACT_NATIVE_KEYCHAIN_MODULE)); L37: return _mod;
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/client-auth/android-keystore-token-store.jsView on unpkg · L35
dist/platform/adapters/telephony/index.jsView file
13} L14: const params = new URLSearchParams(rawBody); L15: const parsed = {}; ... L52: continue; L53: const expected = createHmac('sha1', authToken).update(baseString).digest('base64'); L54: if (constantTimeEquals(expected, signature)) ... L63: || await context.serviceRegistry.resolveSecret('telephony', 'primary') L64: || process.env.TELEPHONY_WEBHOOK_SECRET L65: || process.env.TWILIO_WEBHOOK_SECRET
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/platform/adapters/telephony/index.jsView on unpkg · L13
dist/platform/runtime/sandbox/provisioning.jsView file
2import { dirname, join, resolve } from 'node:path'; L3: import { spawnSync } from 'node:child_process'; L4: import { getSandboxConfigSnapshot } from './manager.js'; ... L180: `sudo mkdir -p ${config.qemuWorkspacePath || '/workspace'}`, L181: `id -u ${config.qemuGuestUser || 'goodvibes'} >/dev/null 2>&1 || sudo useradd -m -s /bin/bash ${config.qemuGuestUser || 'goodvibes'}`, L182: `sudo chown -R ${config.qemuGuestUser || 'goodvibes'}:${config.qemuGuestUser || 'goodvibes'} ${config.qemuWorkspacePath || '/workspace'}`, L183: 'sudo systemctl enable ssh || true', L184: 'sudo systemctl restart ssh || true', ... L270: // Operator-controlled escape hatch for deployments where qemu-img is not on PATH. L271: qemuImgBinary = process.env.QEMU_IMG_BIN || 'qemu-img') { L272: const targetPath = resolve(workspaceRoot, imagePathArg); ... L278: if (result.status !== 0) {
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/platform/runtime/sandbox/provisioning.jsView on unpkg · L2
dist/platform/tools/fetch/trust-tiers.jsView file
15* SSRF protections detect: L16: * - Private IPv4 ranges (RFC 1918) L17: * - IPv6 loopback and link-local ... L282: * L283: * @param url - Full URL string (e.g. `https://example.com/path`). L284: * @returns Hostname string (without port), or `null` on parse failure.
High
Cloud Metadata Access

Source reaches cloud instance metadata or link-local credential endpoints.

dist/platform/tools/fetch/trust-tiers.jsView on unpkg · L15
vendor/bash-language-server/tree-sitter-bash.wasmView file
path = vendor/bash-language-server/tree-sitter-bash.wasm kind = wasm_module sizeBytes = 1364404 magicHex = [redacted]
Medium
Ships Wasm Module

Package ships WebAssembly modules.

vendor/bash-language-server/tree-sitter-bash.wasmView on unpkg
dist/platform/tools/exec/runtime.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @pellux/goodvibes-sdk@0.37.2 matchedIdentity = npm:QHBlbGx1eC9nb29kdmliZXMtc2Rr:0.37.2 similarity = 0.950 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/platform/tools/exec/runtime.jsView on unpkg

Findings

2 High7 Medium6 Low
HighCloud Metadata Accessdist/platform/tools/fetch/trust-tiers.js
HighPrevious Version Dangerous Deltadist/platform/tools/exec/runtime.js
MediumSecret Patterndist/platform/security/user-auth.js
MediumDynamic Requiredist/client-auth/android-keystore-token-store.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/platform/runtime/sandbox/provisioning.js
MediumShips Wasm Modulevendor/bash-language-server/tree-sitter-bash.wasm
MediumStructural Risk Force Deep Review
LowEvaldist/platform/tools/read/media.js
LowWeak Cryptodist/platform/adapters/telephony/index.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings