registry  /  @reslava/loom  /  1.16.0

@reslava/loom@1.16.0

**Document-native workflow for AI-assisted development.** Weave ideas into features with AI.

Static Scan Results

scanned 4d ago · by rust-scanner

Static analysis flagged 11 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsEvalFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 1.26 MB of source, external domains: eu.i.posthog.com, github.com

Source & flagged code

3 flagged · loading source
dist/index.jsView file
3492if (!fs24[gracefulQueue]) { L3493: queue = global[gracefulQueue] || []; L3494: publishQueue(fs24, queue);
High
Obfuscated Payload Loader

Source contains an obfuscator-style string-array loader that reconstructs and executes hidden code.

dist/index.jsView on unpkg · L3492
14126if (ast.body[0].expression.body.type === "BlockStatement") { L14127: return new Function(params, source.slice(body[0] + 1, body[1] - 1)); L14128: }
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/index.jsView on unpkg · L14126
34* Constructs the CommanderError class L35: * @param {number} exitCode suggested exit code which could be used with process.exit L36: * @param {string} code an id string representing the error ... L960: var EventEmitter = require("node:events").EventEmitter; L961: var childProcess = require("node:child_process"); L962: var path2 = require("node:path"); ... L1009: this._outputConfiguration = { L1010: writeOut: (str2) => process3.stdout.write(str2), L1011: writeErr: (str2) => process3.stderr.write(str2), ... L1045: * @returns {Command[]} L1046: * @private L1047: */
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/index.jsView on unpkg · L34

Findings

1 High3 Medium7 Low
HighObfuscated Payload Loaderdist/index.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvaldist/index.js
LowWeak Cryptodist/index.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings