registry  /  @promptctl/cc-candybar  /  1.10.0

@promptctl/cc-candybar@1.10.0

⚠ Under review

Statusline renderer for Claude Code — a JSON5-configurable DSL with daemon-cached data sources, byte-clean palette-aware composition, and OSC8 click verbs.

Static Scan Results

scanned 4d ago · by rust-scanner

Static analysis flagged 21 finding(s) at 86.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedObfuscatedProtestwareTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 97 file(s), 1.51 MB of source, external domains: github.com, json-schema.org, raw.githubusercontent.com

Source & flagged code

9 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.mjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.mjs
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
dist/index.mjsView file
14contains invisible/control Unicode U+200C (zero width non-joiner) `).filter(e=>e.trim()),n=[];for(let e of t)try{let t=vn(JSON.parse(e));t&&n.push(t)}catch(e){O(`Failed to parse JSONL line: ${e}`);continue}return n}async function z(e){return new Promise((t,n)=>{let i=[],a=r(e,{encoding:`utf8`}),o=w({input
Critical
Trojan Source Unicode

Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

dist/index.mjsView on unpkg · L14
1Trigger-reachable chain: manifest.main -> dist/index.mjs L1: #!/usr/bin/env node L2: import e from"node:process";import{json as t}from"node:stream/consumers";import n,{createReadStream as r,existsSync as i,watch as a}from"node:fs";import o,{basename as s,dirname as... L3: `)}catch(t){e.stderr.write(`cc-candybar: daemon spawn failed: ${t.message}\n`)}}let Ze=null;function Qe(){let t=ke();for(let r=0;r<2;r++){try{let r=n.openSync(t,`wx`,384);try{n.wri... ... L11: `).length:0)}async getUpstreamAsync(e){return Ht(Bt(`git rev-parse @{u}`,await this.execGitAsync([`rev-parse`,`--abbrev-ref`,`@{u}`],{cwd:e,timeout:2e3}),`absent`))}async getRepoNa... L12: `),r=null,i=`clean`,a=0,o=0,s=0,c=0;for(let e of n)if(e){if(e.startsWith(`## `)){let t=e.substring(3).split(`...`)[0];t&&t!==`HEAD (no branch)`&&(r=t);continue}if(e.length>=2){let ... L13: `)[0];r&&JSON.parse(r).sessionId===e&&n.push(t)}catch{O(`Failed to check agent file ${t}`)}}}catch(e){O(`Failed to read subagents directory ${r}:`,e)}return n}const gn=new Map;asyn...
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/index.mjsView on unpkg · L1
1#!/usr/bin/env node L2: import e from"node:process";import{json as t}from"node:stream/consumers";import n,{createReadStream as r,existsSync as i,watch as a}from"node:fs";import o,{basename as s,dirname as... L3: `)}catch(t){e.stderr.write(`cc-candybar: daemon spawn failed: ${t.message}\n`)}}let Ze=null;function Qe(){let t=ke();for(let r=0;r<2;r++){try{let r=n.openSync(t,`wx`,384);try{n.wri...
High
Child Process

Package source references child process execution.

dist/index.mjsView on unpkg · L1
1#!/usr/bin/env node L2: import e from"node:process";import{json as t}from"node:stream/consumers";import n,{createReadStream as r,existsSync as i,watch as a}from"node:fs";import o,{basename as s,dirname as... L3: `)}catch(t){e.stderr.write(`cc-candybar: daemon spawn failed: ${t.message}\n`)}}let Ze=null;function Qe(){let t=ke();for(let r=0;r<2;r++){try{let r=n.openSync(t,`wx`,384);try{n.wri... ... L11: `).length:0)}async getUpstreamAsync(e){return Ht(Bt(`git rev-parse @{u}`,await this.execGitAsync([`rev-parse`,`--abbrev-ref`,`@{u}`],{cwd:e,timeout:2e3}),`absent`))}async getRepoNa... L12: `),r=null,i=`clean`,a=0,o=0,s=0,c=0;for(let e of n)if(e){if(e.startsWith(`## `)){let t=e.substring(3).split(`...`)[0];t&&t!==`HEAD (no branch)`&&(r=t);continue}if(e.length>=2){let ... L13: `)[0];r&&JSON.parse(r).sessionId===e&&n.push(t)}catch{O(`Failed to check agent file ${t}`)}}}catch(e){O(`Failed to read subagents directory ${r}:`,e)}return n}const gn=new Map;asyn...
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/index.mjsView on unpkg · L1
1#!/usr/bin/env node L2: import e from"node:process";import{json as t}from"node:stream/consumers";import n,{createReadStream as r,existsSync as i,watch as a}from"node:fs";import o,{basename as s,dirname as... L3: `)}catch(t){e.stderr.write(`cc-candybar: daemon spawn failed: ${t.message}\n`)}}let Ze=null;function Qe(){let t=ke();for(let r=0;r<2;r++){try{let r=n.openSync(t,`wx`,384);try{n.wri... ... L11: `).length:0)}async getUpstreamAsync(e){return Ht(Bt(`git rev-parse @{u}`,await this.execGitAsync([`rev-parse`,`--abbrev-ref`,`@{u}`],{cwd:e,timeout:2e3}),`absent`))}async getRepoNa... L12: `),r=null,i=`clean`,a=0,o=0,s=0,c=0;for(let e of n)if(e){if(e.startsWith(`## `)){let t=e.substring(3).split(`...`)[0];t&&t!==`HEAD (no branch)`&&(r=t);continue}if(e.length>=2){let ... L13: `)[0];r&&JSON.parse(r).sessionId===e&&n.push(t)}catch{O(`Failed to check agent file ${t}`)}}}catch(e){O(`Failed to read subagents directory ${r}:`,e)}return n}const gn=new Map;asyn...
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/index.mjsView on unpkg · L1
1#!/usr/bin/env node L2: import e from"node:process";import{json as t}from"node:stream/consumers";import n,{createReadStream as r,existsSync as i,watch as a}from"node:fs";import o,{basename as s,dirname as... L3: `)}catch(t){e.stderr.write(`cc-candybar: daemon spawn failed: ${t.message}\n`)}}let Ze=null;function Qe(){let t=ke();for(let r=0;r<2;r++){try{let r=n.openSync(t,`wx`,384);try{n.wri... L4: `)}function Dt(e){if(!e)throw Error(`install-url-handler: process.argv[1] not set`);return e.endsWith(`.mjs`)||e.endsWith(`.js`)?e:o.resolve(o.dirname(e),`..`,`dist`,`index.mjs`)}f... ... L11: `).length:0)}async getUpstreamAsync(e){return Ht(Bt(`git rev-parse @{u}`,await this.execGitAsync([`rev-parse`,`--abbrev-ref`,`@{u}`],{cwd:e,timeout:2e3}),`absent`))}async getRepoNa... L12: `),r=null,i=`clean`,a=0,o=0,s=0,c=0;for(let e of n)if(e){if(e.startsWith(`## `)){let t=e.substring(3).split(`...`)[0];t&&t!==`HEAD (no branch)`&&(r=t);continue}if(e.length>=2){let ... L13: `)[0];r&&JSON.parse(r).sessionId===e&&n.push(t)}catch{O(`Failed to check agent file ${t}`)}}}catch(e){O(`Failed to read subagents directory ${r}:`,e)}return n}const gn=new Map;asyn... ... L66: Re-annotating fields is not allo
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/index.mjsView on unpkg · L1
plugin/bin/preview.shView file
path = plugin/bin/preview.sh kind = build_helper sizeBytes = 9784 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

plugin/bin/preview.shView on unpkg

Findings

2 Critical5 High6 Medium8 Low
CriticalTrojan Source Unicodedist/index.mjs
CriticalTrigger Reachable Dangerous Capabilitydist/index.mjs
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processdist/index.mjs
HighShell
HighSame File Env Network Executiondist/index.mjs
HighCommand Output Exfiltrationdist/index.mjs
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
MediumProtestware
MediumShips Build Helperplugin/bin/preview.sh
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowWeak Cryptodist/index.mjs
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings