registry  /  @sep-agent/magnus  /  1.0.5

@sep-agent/magnus@1.0.5

Magnus local source server, side panel UI, and Chrome extension shell.

Static Scan Results

scanned 5d ago · by rust-scanner

Static analysis completed at 65.0% confidence. No malicious behavior was detected; 14 low-signal pattern(s) were surfaced and cleared.

Static reason
No blocking static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkWebSocket
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 74 file(s), 1.59 MB of source, external domains: 127.0.0.1, aaabg.com, api.deepseek.com, api.openai.com, local.invalid, registry.npmjs.org, vuejs.org, www.w3.org

Source & flagged code

7 flagged · loading source
package/js/service-worker.jsView file
594if (params.type === "eval" && params.value) { L595: return eval(params.value); L596: }
Low
Eval

Package source references a known benign dynamic code generation pattern.

package/js/service-worker.jsView on unpkg · L594
bin/magnus.jsView file
6L7: const fs = require('fs'); L8: const os = require('os');
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/magnus.jsView on unpkg · L6
9const path = require('path'); L10: const http = require('http'); L11: const { spawn, spawnSync } = require('child_process'); L12: L13: const LABEL = 'com.magnus.source-server'; L14: const packageRoot = path.resolve(__dirname, '..'); L15: const serverScript = path.join(packageRoot, 'scripts', 'source-server.js'); ... L23: const chromeManifestPath = path.join(chromeExtensionDir, 'manifest.json'); L24: const packageJsonPath = path.join(packageRoot, 'package.json'); L25: L26: const HOST = process.env.MAGNUS_SOURCE_HOST || '127.0.0.1'; L27: const PORT = Number(argValue('--port') || process.env.MAGNUS_SOURCE_PORT || 17321);
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

bin/magnus.jsView on unpkg · L9
scripts/source-server/experience/task-session.jsView file
1const crypto = require('crypto'); L2:
Low
Weak Crypto

Package source references weak cryptographic algorithms.

scripts/source-server/experience/task-session.jsView on unpkg · L1
package/app/package.zipView file
path = package/app/package.zip kind = high_entropy_blob sizeBytes = 87684 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

package/app/package.zipView on unpkg
path = package/app/package.zip kind = compressed_blob sizeBytes = 87684 magicHex = [redacted]
Medium
Ships Compressed Blob

Package ships compressed or archive-like blobs.

package/app/package.zipView on unpkg
path = package/app/package.zip kind = nested_archive_needs_inspection sizeBytes = 87684 magicHex = [redacted]
Low
Nested Archive Needs Inspection

Package ships a nested archive or MCP bundle that was inventoried but not recursively analyzed.

package/app/package.zipView on unpkg

Findings

1 High6 Medium7 Low
HighShips High Entropy Blobpackage/app/package.zip
MediumDynamic Requirebin/magnus.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencebin/magnus.js
MediumShips Compressed Blobpackage/app/package.zip
MediumStructural Risk Force Deep Review
LowEvalpackage/js/service-worker.js
LowWeak Cryptoscripts/source-server/experience/task-session.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings
LowNested Archive Needs Inspectionpackage/app/package.zip