registry  /  @qoder-ai/qoder-agent-sdk  /  1.0.13

@qoder-ai/qoder-agent-sdk@1.0.13

TypeScript SDK for building Qoder-powered coding agents.

Static Scan Results

scanned 3h ago · by rust-scanner

Static analysis flagged 14 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkWebSocket
Supply chain
HighEntropyStringsMinifiedUrlStrings
Manifest
NoLicense
scanned 6 file(s), 155 KB of source, external domains: api.qoder.com, download.qoder.com, qs-cli-dev.oss-cn-hangzhou.aliyuncs.com, static.qoder.com.cn

Source & flagged code

5 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.cjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.cjs
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
dist/index.jsView file
1var ms=Object.defineProperty;var hs=(s,e)=>{for(var t in e)ms(s,t,{get:e[t],enumerable:!0})};import{spawn as Us}from"child_process";import{createInterface as js}from"readline";var ... L2: `)?e:e+`
High
Child Process

Package source references child process execution.

dist/index.jsView on unpkg · L1
1var ms=Object.defineProperty;var hs=(s,e)=>{for(var t in e)ms(s,t,{get:e[t],enumerable:!0})};import{spawn as Us}from"child_process";import{createInterface as js}from"readline";var ... L2: `)?e:e+` ... L11: `),this.diagnostics?.record(`[QueryRunner] inbound control_response sent request_id=${t} subtype=${r} status=error duration_ms=${Date.now()-o}`,i)}}finally{this.pendingInboundReque... L12: `),this.recordOutboundSessionMessage(r)}t>0&&this.hasBidirectionalNeeds()&&await this.waitForFirstResult(),this.transport.endInput()}catch(t){this.diagnostics?.record("[QueryRunner... L13: `))!==-1;){let u=o.slice(0,c);o=o.slice(c+1);let p=u.endsWith("\r")?u.slice(0,-1):u;if(this.consumeSseLine(p,n),this.closed)break}o.length>Kt&&(this.diagnostics?.record(`[cloud-age...
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/index.jsView on unpkg · L1
1var ms=Object.defineProperty;var hs=(s,e)=>{for(var t in e)ms(s,t,{get:e[t],enumerable:!0})};import{spawn as Us}from"child_process";import{createInterface as js}from"readline";var ... L2: `)?e:e+` L3: `;if(!this.ready){if(this.initializePromise){this.pendingInput.push({type:"write",line:t});return}throw new Error("Transport is not ready or has been closed")}this.writeReadyLine(t... L4: `)?e:e+` ... L11: `),this.diagnostics?.record(`[QueryRunner] inbound control_response sent request_id=${t} subtype=${r} status=error duration_ms=${Date.now()-o}`,i)}}finally{this.pendingInboundReque... L12: `),this.recordOutboundSessionMessage(r)}t>0&&this.hasBidirectionalNeeds()&&await this.waitForFirstResult(),this.transport.endInput()}catch(t){this.diagnostics?.record("[QueryRunner... L13: `))!==-1;){let u=o.slice(0,c);o=o.slice(c+1);let p=u.endsWith("\r")?u.slice(0,-1):u;if(this.consumeSseLine(p,n),this.closed)break}o.length>Kt&&(this.diagnostics?.record(`[cloud-age...
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/index.jsView on unpkg · L1

Findings

4 High4 Medium6 Low
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processdist/index.js
HighSame File Env Network Executiondist/index.js
HighCommand Output Exfiltrationdist/index.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License