registry  /  @proofofwork-agency/contextrelay  /  3.10.0

@proofofwork-agency/contextrelay@3.10.0

ContextRelay: local multi-agent coding orchestration for Claude Code and Codex

Static Scan Results

scanned 3h ago · by rust-scanner

Static analysis flagged 20 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsEvalFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 20 file(s), 1.60 MB of source, external domains: 127.0.0.1, bun.sh, github.com, json-schema.org, raw.githubusercontent.com, react.dev
Oversized source lightweight scan
dist/cli.js2.91 MB file, sampled 256 KB
FilesystemNetworkChildProcessEnvironmentVarsShellHighEntropyStringsUrlStrings127.0.0.1github.comreact.dev

Source & flagged code

12 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.cjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.cjs
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
plugins/contextrelay/server/daemon.jsView file
4253patternName = private_key_rsa severity = critical line = 4253 matchedText = [/"priva..."'],
Critical
Critical Secret

Package contains a critical-looking secret pattern.

plugins/contextrelay/server/daemon.jsView on unpkg · L4253
4253patternName = private_key_rsa severity = critical line = 4253 matchedText = [/"priva..."'],
Critical
Secret Pattern

RSA private key in plugins/contextrelay/server/daemon.js

plugins/contextrelay/server/daemon.jsView on unpkg · L4253
9// src/codex-adapter.ts L10: import { spawn as spawn2, execFileSync as execFileSync2 } from "child_process"; L11: import { createInterface as createInterface2 } from "readline";
High
Child Process

Package source references child process execution.

plugins/contextrelay/server/daemon.jsView on unpkg · L9
2180try { L2181: const raw = platform2() === "win32" ? execFileSync2("powershell.exe", [ L2182: "-NoProfile",
High
Shell

Package source references shell execution.

plugins/contextrelay/server/daemon.jsView on unpkg · L2180
plugins/contextrelay/server/bridge-server.jsView file
17526patternName = private_key_rsa severity = critical line = 17526 matchedText = [/"priva..."'],
Critical
Secret Pattern

RSA private key in plugins/contextrelay/server/bridge-server.js

plugins/contextrelay/server/bridge-server.jsView on unpkg · L17526
2892sourceCode = this.opts.code.process(sourceCode, sch); L2893: const makeValidate = new Function(`${names_1.default.self}`, `${names_1.default.scope}`, sourceCode); L2894: const validate = makeValidate(this, this.scope.get());
Low
Eval

Package source references a known benign dynamic code generation pattern.

plugins/contextrelay/server/bridge-server.jsView on unpkg · L2892
scripts/verify-plugin-sync.cjsView file
5Cross-file remote execution chain: scripts/verify-plugin-sync.cjs spawns [redacted]-server.js; helper contains network access plus dynamic code execution. L5: const { join, relative, resolve } = require("node:path"); L6: const { spawnSync } = require("node:child_process"); L7: L8: const repoRoot = resolve(__dirname, ".."); L9: const pluginBundles = [
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

scripts/verify-plugin-sync.cjsView on unpkg · L5
plugins/contextrelay/scripts/inject-pending-codex.shView file
path = [redacted]-pending-codex.sh kind = build_helper sizeBytes = 237 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

plugins/contextrelay/scripts/inject-pending-codex.shView on unpkg
dist/cli.jsView file
path = dist/cli.js kind = oversized_source_file sizeBytes = 3054898 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/cli.jsView on unpkg
path = dist/cli.js kind = oversized_cli_entrypoint sizeBytes = 3054898 magicHex = [redacted]
Medium
Oversized Cli Entrypoint

Package contains an oversized executable-looking CLI entrypoint.

dist/cli.jsView on unpkg

Findings

3 Critical5 High6 Medium6 Low
CriticalCritical Secretplugins/contextrelay/server/daemon.js
CriticalSecret Patternplugins/contextrelay/server/daemon.js
CriticalSecret Patternplugins/contextrelay/server/bridge-server.js
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processplugins/contextrelay/server/daemon.js
HighShellplugins/contextrelay/server/daemon.js
HighCross File Remote Execution Contextscripts/verify-plugin-sync.cjs
HighOversized Source Filedist/cli.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperplugins/contextrelay/scripts/inject-pending-codex.sh
MediumOversized Cli Entrypointdist/cli.js
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvalplugins/contextrelay/server/bridge-server.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings