registry  /  @pixelbyte-software/pixcode  /  1.54.11

@pixelbyte-software/pixcode@1.54.11

Self-hosted AI coding agent control room for Claude Code, Cursor CLI, OpenAI Codex, Gemini CLI, Qwen Code, and OpenCode with chat, files, shell, Git, orchestration, API keys, Telegram, MCP, plugins, themes, and desktop/server deployment.

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 22 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 420 file(s), 5.22 MB of source, external domains: 127.0.0.1, api.anthropic.com, api.example.com, api.github.com, api.openai.com, api.telegram.org, auth.openai.com, cdn.jsdelivr.net, codex.example.com, cursor.com, dashscope-intl.aliyuncs.com, developers.cloudflare.com, docs.anthropic.com, docs.cursor.com, docs.docker.com, example.com, gemini.example.com, generativelanguage.googleapis.com, github.com, global.example.com, models.dev, ngrok.com, oauth2.googleapis.com, pixcode.example.com, pixcode.local, reactjs.org, registry.npmjs.org, registry.test, runtime.test, tailscale.com, www.w3.org
Oversized source lightweight scan
dist/assets/index-Bcqs_1vc.js2.98 MB file, sampled 256 KB
NetworkChildProcessWebSocketHighEntropyStringsMinifiedUrlStringsapi.example.comauth.openai.comcursor.comgithub.comwww.w3.org

Source & flagged code

13 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/fix-node-pty.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
dist-server/server/setup-wizard.jsView file
5import readline from 'readline'; L6: import { spawn } from 'node:child_process'; L7: import { c } from './utils/colors.js';
High
Child Process

Package source references child process execution.

dist-server/server/setup-wizard.jsView on unpkg · L5
111try { L112: const { execSync } = require('child_process'); L113: execSync('command -v xdg-open', { stdio: 'pipe' });
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist-server/server/setup-wizard.jsView on unpkg · L111
dist-server/server/index.jsView file
440env: process.env, L441: shell: true, L442: stdio: ['ignore', 'pipe', 'pipe'],
High
Shell

Package source references shell execution.

dist-server/server/index.jsView on unpkg · L440
7Manifest entrypoint (manifest.main) carries capability families absent from dist/build output: environment+network, execution+network L7: import os from 'os'; L8: import http from 'http'; L9: import net from 'node:net'; ... L12: import { createRequire } from 'node:module'; L13: import { spawn } from 'child_process'; L14: import express from 'express'; ... L19: import { securityLog, getClientIp } from './utils/security-log.js'; L20: const __dirname = getModuleDir(import.meta.url); L21: // The server source runs from /server, while the compiled output runs from /dist-server/server. ... L28: try { L29: const pkgRaw = fs.readFileSync(path.join(APP_ROOT, 'package.json'), 'utf8'); L30: return JSON.parse(pkgRaw).version || '0.0.0';
High
Entrypoint Build Divergence

Manifest entrypoint contains risky behavior absent from dist/build output.

dist-server/server/index.jsView on unpkg · L7
1556const proto = forwardedProto || (request?.socket?.encrypted ? 'https' : 'http'); L1557: const host = headers['x-forwarded-host'] || headers.host || `127.0.0.1:${process.env.SERVER_PORT || process.env.PORT || '3001'}`; L1558: return `${proto}://${String(host).split(',')[0].trim()}`; ... L1562: } L1563: function quotePowerShellArg(value) { L1564: return `"${String(value).replace(/`/g, '``').replace(/\$/g, '`$').replace(/"/g, '`"')}"`; ... L1568: } L1569: // Single WebSocket server that handles both paths L1570: const wss = new WebSocketServer({
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist-server/server/index.jsView on unpkg · L1556
7Detached bundled service listener: dist-server/server/index.js launches a Node helper and exposes a broad-bound HTTP listener. L7: import os from 'os'; L8: import http from 'http'; L9: import net from 'node:net'; ... L12: import { createRequire } from 'node:module'; L13: import { spawn } from 'child_process'; L14: import express from 'express'; ... L19: import { securityLog, getClientIp } from './utils/security-log.js'; L20: const __dirname = getModuleDir(import.meta.url); L21: // The server source runs from /server, while the compiled output runs from /dist-server/server. ... L28: try { L29: const pkgRaw = fs.readFileSync(path.join(APP_ROOT, 'package.json'), 'utf8'); L30: return JSON.parse(pkgRaw).version || '0.0.0';
High
Spawned Bundled Service Listener

Source launches a detached bundled service that exposes a broad-bound HTTP listener.

dist-server/server/index.jsView on unpkg · L7
dist-server/server/projects.jsView file
187async function loadProjectConfig() { L188: const configPath = path.join(os.homedir(), '.claude', 'project-config.json'); L189: try { L190: const configData = await fs.readFile(configPath, 'utf8'); L191: return JSON.parse(configData); L192: } ... L443: let projectPath = actualProjectDir || projectName.replace(/-/g, '/'); L444: // Try to read package.json from the project path L445: try { ... L996: textContent.startsWith('<command-args>') || L997: textContent.startsWith('<local-command-stdout>') || L998: textContent.startsWith('<system-reminder>') ||
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist-server/server/projects.jsView on unpkg · L187
dist-server/server/daemon/manager.jsView file
1import fs from 'fs'; L2: import http from 'http'; L3: import os from 'os'; L4: import path from 'path'; L5: import { execFileSync, spawn } from 'child_process'; L6: const DEFAULT_SERVER_PORT = 3001; L7: const DAEMON_DIR = path.join(os.homedir(), '.pixcode', 'daemon'); L8: const PID_FILE = path.join(DAEMON_DIR, 'daemon.pid'); ... L41: const raw = fs.readFileSync(STATE_FILE, 'utf8'); L42: const parsed = JSON.parse(raw); L43: if (!parsed || typeof parsed !== 'object') { ... L112: function terminateProcess(pid, force = false) {
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist-server/server/daemon/manager.jsView on unpkg · L1
dist-server/server/services/startup-update.jsView file
3import crypto from 'node:crypto'; L4: import { spawn, spawnSync } from 'node:child_process'; L5: import { Readable } from 'node:stream'; L6: const packageName = '@pixelbyte-software/pixcode'; L7: const registryUrl = `https://registry.npmjs.org/${encodeURIComponent(packageName)}`; L8: const startupUpdateAppliedEnv = 'PIXCODE_STARTUP_UPDATE_APPLIED'; ... L21: function commandName(name) { L22: if (process.platform === 'win32') { L23: return name === 'npm' ? 'npm.cmd' : `${name}.exe`; ... L29: cwd: options.cwd, L30: env: options.env || process.env, L31: encoding: 'utf8',
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist-server/server/services/startup-update.jsView on unpkg · L3
server/services/live-view.jsView file
176args: installArgs, L177: displayCommand: 'npm install --no-audit --no-fund --include=dev', L178: }; ... L186: let settled = false; L187: const child = spawn(command, args, { L188: cwd: options.cwd,
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

server/services/live-view.jsView on unpkg · L176
dist/assets/KaTeX_Script-Regular-D3wIWfF6.woff2View file
path = dist/assets/KaTeX_Script-Regular-D3wIWfF6.woff2 kind = high_entropy_blob sizeBytes = 9644 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

dist/assets/KaTeX_Script-Regular-D3wIWfF6.woff2View on unpkg
dist/assets/index-Bcqs_1vc.jsView file
path = dist/assets/index-Bcqs_1vc.js kind = oversized_source_file sizeBytes = 3126196 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/assets/index-Bcqs_1vc.jsView on unpkg

Findings

10 High5 Medium7 Low
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processdist-server/server/setup-wizard.js
HighShelldist-server/server/index.js
HighEntrypoint Build Divergencedist-server/server/index.js
HighSame File Env Network Executiondist-server/server/index.js
HighSandbox Evasion Gated Capabilitydist-server/server/services/startup-update.js
HighSpawned Bundled Service Listenerdist-server/server/index.js
HighRuntime Package Installserver/services/live-view.js
HighShips High Entropy Blobdist/assets/KaTeX_Script-Regular-D3wIWfF6.woff2
HighOversized Source Filedist/assets/index-Bcqs_1vc.js
MediumDynamic Requiredist-server/server/setup-wizard.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist-server/server/daemon/manager.js
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowWeak Cryptodist-server/server/projects.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings