registry  /  @reddb-io/red-skills  /  2.14.0

@reddb-io/red-skills@2.14.0

⚠ Under review

RedSkills plugin runtime bundles (dev, memory, brain) distributed over npm — the v2 client transport (ADR 0091). Carries the platform-independent JS bundles inside the tarball plus thin bin shims; no postinstall download.

Static Scan Results

scanned 18h ago · by rust-scanner

Static analysis flagged 17 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsEvalFilesystemNativeBindingsShell
Supply chain
HighEntropyStringsMinifiedObfuscatedProtestwareUrlStrings
ManifestNo manifest risk signals triggered.
scanned 5 file(s), 2.55 MB of source, external domains: api.minimax.io, github.com, json-schema.org, raw.githubusercontent.com
Oversized source lightweight scan
dist/memory.bundle.min.mjs4.61 MB file, sampled 256 KB
FilesystemChildProcessEnvironmentVarsEvalObfuscatedHighEntropyStringsMinified

Source & flagged code

10 flagged · loading source
bin/red-skills-memory.mjsView file
9*/ L10: import { spawnSync } from "node:child_process"; L11: import { existsSync } from "node:fs";
High
Child Process

Package source references child process execution.

bin/red-skills-memory.mjsView on unpkg · L9
dist/dev.bundle.min.mjsView file
matchType = previous_version_dangerous_delta matchedPackage = @reddb-io/red-skills@2.3.0 matchedIdentity = npm:QHJlZGRiLWlvL3JlZC1za2lsbHM:2.3.0 similarity = 0.800 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/dev.bundle.min.mjsView on unpkg
311`)}catch{}}}return t=>{process.stdout.write(t+` L312: `)}}});var Fd,lG=h(()=>{"use strict";Fd=class{items=[];totalChars=0;maxChars;separator;constructor(t=65536,r=""){this.maxChars=t,this.separator=r}push(t){let r=t.length>this.maxCha... L313: `),E=new Fd(o,"");M7t({input:m.stdout}).on("line",b=>{A.push(b),g(b)}),m.stderr.on("data",b=>{E.push(b.toString())}),m.on("close",b=>{f({stdout:A.toString(),stderr:E.toString(),exi...
High
Shell

Package source references shell execution.

dist/dev.bundle.min.mjsView on unpkg · L311
41`);r.splice(1,3),t.stack=r.join(` L42: `)}return t},zJ=e=>ie(e,GJ),jEe=e=>ie(e,VF),YF=e=>ie(e,cI),Vht=mu(new Map),qEe=()=>Vht,VJ=(e,t)=>mu(new Map([[e.key,t]])),GEe=x(3,(e,t,r)=>{let n=new Map(e.unsafeMap);return n.set(... L43: ${this.stack.split(` L44: `).slice(1).join(` L45: `)}`:this.toString():"Bun"in globalThis?Ll(Fl(this),{renderErrorCause:!0}):this}}return Object.assign(e.prototype,lF),e}(),bE=(e,t)=>{class r extends FB{_tag=t}return Object.assign... L46: `);if(o[3]!==void 0)return n=o[3].trim(),n}}}},BE=ei()("[redacted]",{defaultValue:Fi})});var byt,dn,uIe,sL,jB,lIe,dIe,fIe,pIe,mIe,QI,hIe,gIe,aL,AIe,If=h(()=>{... L47: `).length;a=r.stack?`(${o}) ${r.stack.split(`
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/dev.bundle.min.mjsView on unpkg · L41
41`);r.splice(1,3),t.stack=r.join(` L42: `)}return t},zJ=e=>ie(e,GJ),jEe=e=>ie(e,VF),YF=e=>ie(e,cI),Vht=mu(new Map),qEe=()=>Vht,VJ=(e,t)=>mu(new Map([[e.key,t]])),GEe=x(3,(e,t,r)=>{let n=new Map(e.unsafeMap);return n.set(... L43: ${this.stack.split(` ... L45: `)}`:this.toString():"Bun"in globalThis?Ll(Fl(this),{renderErrorCause:!0}):this}}return Object.assign(e.prototype,lF),e}(),bE=(e,t)=>{class r extends FB{_tag=t}return Object.assign... L46: `);if(o[3]!==void 0)return n=o[3].trim(),n}}}},BE=ei()("[redacted]",{defaultValue:Fi})});var byt,dn,uIe,sL,jB,lIe,dIe,fIe,pIe,mIe,QI,hIe,gIe,aL,AIe,If=h(()=>{... L47: `).length;a=r.stack?`(${o}) ${r.stack.split(` ... L53: `).trim(),o}}return ye(()=>{let r=typeof e.options=="function"?e.options.apply(null,arguments):e.options;return WK(ye(()=>Wn(()=>e.body.apply(this,arguments))),r.name,{...r,capture... L54: Status: ${d}`})),tZ=()=>Array.from(Kl.roots),Tke=Y(tZ),Dke=e=>e.status,rZ=e=>HE(Io(e)),Qke=rZ(void 0),Fm="effect/FiberCurrent",Oke=()=>Jr(globalThis[Fm])});var jxt,Nke,Mke,A1,Ubr,q... L55: `),a=e.errorCall.stack.trim().split(`
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/dev.bundle.min.mjsView on unpkg · L41
19`)}if(AY(e)){let t=[];return xY(e,0,t),t.join(` L20: `)}return ER(e)}var MM,vx=h(()=>{"use strict";MM=" "});function sye(e){if(e===void 0||e.trim()==="")return;let t=Number(e);return Number.isFinite(t)&&t>0?t:void 0}function cft(e,t... L21: `);return CC({status:"discarded",worker:e,duration:`runner-broken, slot parked after ${n} fast deaths`,diff:"discarded",attempt:1,sections:[{name:"summary",body:i}]})}function mft(... L22: `)){i=i.replace(/\r$/,"");let s=i;if(!/".*"/.test(s)&&!/'.*'/.test(s)){let m=s.indexOf("#");m>=0&&(s=s.slice(0,m))}if(s.replace(/\s/g,"")==="")continue;let c=(s.match(/^\s*/)?.[0]?... ... L45: `)}`:this.toString():"Bun"in globalThis?Ll(Fl(this),{renderErrorCause:!0}):this}}return Object.assign(e.prototype,lF),e}(),bE=(e,t)=>{class r extends FB{_tag=t}return Object.assign... L46: `);if(o[3]!==void 0)return n=o[3].trim(),n}}}},BE=ei()("[redacted]",{defaultValue:Fi})});var byt,dn,uIe,sL,jB,lIe,dIe,fIe,pIe,mIe,QI,hIe,gIe,aL,AIe,If=h(()=>{... L47: `).length;a=r.stack?`(${o}) ${r.stack.split(` ... L53: `).trim(),o}}return ye(()=>{let r=typeof e.options=="function"?e.options.apply(null,arguments):e.options;return WK(ye(()=>Wn(()=>e.body.ap
High
Obfuscated Payload Loader

Source contains an obfuscator-style string-array loader that reconstructs and executes hidden code.

dist/dev.bundle.min.mjsView on unpkg · L19
50${n.join(` L51: `)}`),super(s),this._tag=t,this.traces=n,this[KIe]=Dyt,this.name=i,this.stack=a}pipe(){return Z(this,arguments)}toString(){return this.stack}[Ie](){return this.stack}},oK=class ext... L52: `).slice(2).join(`
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/dev.bundle.min.mjsView on unpkg · L50
bin/red-skills-dev.mjsView file
8Cross-file remote execution chain: bin/red-sk[redacted] spawns dist/dev.bundle.min.mjs; helper contains network access plus dynamic code execution. L8: */ L9: import { spawnSync } from "node:child_process"; L10: import { existsSync } from "node:fs"; ... L16: if (!existsSync(bundle)) { L17: process.stderr.write(`red-skills-dev: packaged bundle missing at ${bundle}\n`); L18: process.exit(1);
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

bin/red-skills-dev.mjsView on unpkg · L8
dist/memory.bundle.min.mjsView file
path = dist/memory.bundle.min.mjs kind = oversized_source_file sizeBytes = 4836821 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/memory.bundle.min.mjsView on unpkg
path = dist/memory.bundle.min.mjs kind = oversized_cli_entrypoint sizeBytes = 4836821 magicHex = [redacted]
Medium
Oversized Cli Entrypoint

Package contains an oversized executable-looking CLI entrypoint.

dist/memory.bundle.min.mjsView on unpkg

Findings

1 Critical7 High4 Medium5 Low
CriticalPrevious Version Dangerous Deltadist/dev.bundle.min.mjs
HighChild Processbin/red-skills-memory.mjs
HighShelldist/dev.bundle.min.mjs
HighSame File Env Network Executiondist/dev.bundle.min.mjs
HighCommand Output Exfiltrationdist/dev.bundle.min.mjs
HighObfuscated Payload Loaderdist/dev.bundle.min.mjs
HighCross File Remote Execution Contextbin/red-skills-dev.mjs
HighOversized Source Filedist/memory.bundle.min.mjs
MediumEnvironment Vars
MediumProtestware
MediumOversized Cli Entrypointdist/memory.bundle.min.mjs
MediumStructural Risk Force Deep Review
LowEvaldist/dev.bundle.min.mjs
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings