registry  /  @sep-agent/magnus  /  1.0.13

@sep-agent/magnus@1.0.13

Magnus local source server, side panel UI, and Chrome extension shell.

Static Scan Results

scanned 5d ago · by rust-scanner

Static analysis flagged 15 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkWebSocket
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 74 file(s), 1.60 MB of source, external domains: 127.0.0.1, aaabg.com, api.deepseek.com, api.openai.com, local.invalid, registry.npmjs.org, vuejs.org, www.w3.org

Source & flagged code

8 flagged · loading source
package/js/service-worker.jsView file
594if (params.type === "eval" && params.value) { L595: return eval(params.value); L596: }
Low
Eval

Package source references a known benign dynamic code generation pattern.

package/js/service-worker.jsView on unpkg · L594
bin/magnus.jsView file
6L7: const fs = require('fs'); L8: const os = require('os');
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/magnus.jsView on unpkg · L6
9const path = require('path'); L10: const http = require('http'); L11: const { spawn, spawnSync } = require('child_process'); L12: L13: const LABEL = 'com.magnus.source-server'; L14: const packageRoot = path.resolve(__dirname, '..'); L15: const serverScript = path.join(packageRoot, 'scripts', 'source-server.js'); ... L24: const chromeManifestPath = path.join(chromeExtensionDir, 'manifest.json'); L25: const packageJsonPath = path.join(packageRoot, 'package.json'); L26: L27: const HOST = process.env.MAGNUS_SOURCE_HOST || '127.0.0.1'; L28: const PORT = Number(argValue('--port') || process.env.MAGNUS_SOURCE_PORT || 17321);
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

bin/magnus.jsView on unpkg · L9
scripts/source-server/experience/task-session.jsView file
1const crypto = require('crypto'); L2:
Low
Weak Crypto

Package source references weak cryptographic algorithms.

scripts/source-server/experience/task-session.jsView on unpkg · L1
scripts/source-server/update/update-service.jsView file
5L6: const https = require('https'); L7: const fs = require('fs'); L8: const path = require('path'); L9: const { spawn } = require('child_process'); L10: L11: const rootDir = path.resolve(__dirname, '..', '..', '..'); L12: const updateState = { ... L16: finishedAt: 0, L17: exitCode: null, L18: error: '', ... L43: try {
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

scripts/source-server/update/update-service.jsView on unpkg · L5
package/app/package.zipView file
path = package/app/package.zip kind = high_entropy_blob sizeBytes = 87684 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

package/app/package.zipView on unpkg
path = package/app/package.zip kind = compressed_blob sizeBytes = 87684 magicHex = [redacted]
Medium
Ships Compressed Blob

Package ships compressed or archive-like blobs.

package/app/package.zipView on unpkg
path = package/app/package.zip kind = nested_archive_needs_inspection sizeBytes = 87684 magicHex = [redacted]
Low
Nested Archive Needs Inspection

Package ships a nested archive or MCP bundle that was inventoried but not recursively analyzed.

package/app/package.zipView on unpkg

Findings

2 High6 Medium7 Low
HighSandbox Evasion Gated Capabilityscripts/source-server/update/update-service.js
HighShips High Entropy Blobpackage/app/package.zip
MediumDynamic Requirebin/magnus.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencebin/magnus.js
MediumShips Compressed Blobpackage/app/package.zip
MediumStructural Risk Force Deep Review
LowEvalpackage/js/service-worker.js
LowWeak Cryptoscripts/source-server/experience/task-session.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings
LowNested Archive Needs Inspectionpackage/app/package.zip