registry  /  @simonyea/holysheep-cli  /  2.1.104

@simonyea/holysheep-cli@2.1.104

⚠ Under review

Claude Code/Cursor/Cline API relay for China — ¥1=$1, WeChat/Alipay payment, no credit card, no VPN. One command setup for all AI coding tools.

Static Scan Results

scanned 5h ago · by rust-scanner

Static analysis flagged 18 finding(s) at 86.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 3 file(s), 718 KB of source, external domains: 127.0.0.1, aistudio.google.com, api.holysheep.ai, app.factory.ai, bun.sh, claude.ai, developers.openai.com, docs.anthropic.com, docs.factory.ai, docs.openclaw.ai, gitee.com, github.com, hermes-agent.nousresearch.com, holysheep.ai, mail.holysheep.ai, nodejs.org, opencode.ai, qwenlm.github.io, raw.githubusercontent.com, registry.npmjs.org, registry.npmmirror.com, www.codebuddy.ai, www.holysheep.ai

Source & flagged code

10 flagged · loading source
dist/configure-worker.jsView file
1082var fs = require("fs"); L1083: var { exec, execSync, execFileSync } = require("child_process"); L1084: function canRun(command, options = {}) {
High
Child Process

Package source references child process execution.

dist/configure-worker.jsView on unpkg · L1082
1154const out = execFileSync( L1155: "powershell.exe", L1156: ["-NoProfile", "-ExecutionPolicy", "Bypass", "-Command", "[Environment]::GetEnvironmentVariable('Path', 'User')"],
High
Shell

Package source references shell execution.

dist/configure-worker.jsView on unpkg · L1154
14Cross-file remote execution chain: dist/configure-worker.js spawns dist/process-proxy-inject.js; helper contains network access plus dynamic code execution. L14: var os = require("os"); L15: var CONFIG_DIR = path.join(os.homedir(), ".holysheep"); L16: var CONFIG_FILE = path.join(CONFIG_DIR, "config.json"); L17: var BASE_URL_ANTHROPIC = "https://api.holysheep.ai"; L18: var BASE_URL_OPENAI = "https://api.holysheep.ai/v1"; L19: var BASE_URL_CLAUDE_RELAY = process.env.HOLYSHEEP_CLAUDE_RELAY_URL || "https://api.holysheep.ai/claude-relay"; L20: var SHOP_URL = "https://holysheep.ai"; ... L29: if (fs.existsSync(CONFIG_FILE)) { L30: return JSON.parse(fs.readFileSync(CONFIG_FILE, "utf8")); L31: } ... L280: headers: { "content-type": "application/json" }, L281: body: JSON.stringify(requestBody)
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/configure-worker.jsView on unpkg · L14
3326if (hasNpx()) { L3327: return { cmd: "npx", argsPrefix: ["openclaw"], shell: isWin, label: "npx openclaw", via: "npx" }; L3328: } ... L3335: function runWithRunner(runner, args, opts = {}) { L3336: return spawnSync(runner.cmd, [...runner.argsPrefix, ...args], { L3337: shell: runner.shell,
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/configure-worker.jsView on unpkg · L3326
14var os = require("os"); L15: var CONFIG_DIR = path.join(os.homedir(), ".holysheep"); L16: var CONFIG_FILE = path.join(CONFIG_DIR, "config.json"); L17: var BASE_URL_ANTHROPIC = "https://api.holysheep.ai"; L18: var BASE_URL_OPENAI = "https://api.holysheep.ai/v1"; L19: var BASE_URL_CLAUDE_RELAY = process.env.HOLYSHEEP_CLAUDE_RELAY_URL || "https://api.holysheep.ai/claude-relay"; L20: var SHOP_URL = "https://holysheep.ai"; ... L29: if (fs.existsSync(CONFIG_FILE)) { L30: return JSON.parse(fs.readFileSync(CONFIG_FILE, "utf8")); L31: } ... L280: headers: { "content-type": "application/json" }, L281: body: JSON.stringify(requestBody)
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/configure-worker.jsView on unpkg · L14
dist/index.jsView file
7400var os = require("os"); L7401: var http = require("http"); L7402: var { spawn, execSync, execFileSync } = require("child_process"); L7403: var chalk2 = require("chalk"); ... L7415: var { getApiKey } = require_config(); L7416: var HS_DIR = process.env.HOLYSHEEP_DIR || path.join(os.homedir(), ".holysheep"); L7417: var PID_FILE = path.join(HS_DIR, "claude-proxy.pid");
Critical
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution with blocking evidence.

dist/index.jsView on unpkg · L7400
9L10: // package.json L11: var require_package = __commonJS({ ... L61: ], L62: homepage: "https://holysheep.ai", L63: repository: { ... L106: var os = require("os"); L107: var CONFIG_DIR = path.join(os.homedir(), ".holysheep"); L108: var CONFIG_FILE = path.join(CONFIG_DIR, "config.json"); ... L110: var BASE_URL_OPENAI = "https://api.holysheep.ai/v1"; L111: var BASE_URL_CLAUDE_RELAY = process.env.HOLYSHEEP_CLAUDE_RELAY_URL || "https://api.holysheep.ai/claude-relay"; L112: var SHOP_URL = "https://holysheep.ai";
Critical
Credential Exfiltration

Source appears to send environment or credential material to an external endpoint.

dist/index.jsView on unpkg · L9
9Trigger-reachable chain: manifest.main -> dist/index.js L9: L10: // package.json L11: var require_package = __commonJS({ ... L61: ], L62: homepage: "https://holysheep.ai", L63: repository: { ... L106: var os = require("os"); L107: var CONFIG_DIR = path.join(os.homedir(), ".holysheep"); L108: var CONFIG_FILE = path.join(CONFIG_DIR, "config.json"); ... L110: var BASE_URL_OPENAI = "https://api.holysheep.ai/v1"; L111: var BASE_URL_CLAUDE_RELAY = process.env.HOLYSHEEP_CLAUDE_RELAY_URL || "https://api.holysheep.ai/claude-relay"; L112: var SHOP_URL = "https://holysheep.ai";
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/index.jsView on unpkg · L9
9L10: // package.json L11: var require_package = __commonJS({ ... L61: ], L62: homepage: "https://holysheep.ai", L63: repository: { ... L106: var os = require("os"); L107: var CONFIG_DIR = path.join(os.homedir(), ".holysheep"); L108: var CONFIG_FILE = path.join(CONFIG_DIR, "config.json"); ... L110: var BASE_URL_OPENAI = "https://api.holysheep.ai/v1"; L111: var BASE_URL_CLAUDE_RELAY = process.env.HOLYSHEEP_CLAUDE_RELAY_URL || "https://api.holysheep.ai/claude-relay"; L112: var SHOP_URL = "https://holysheep.ai";
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/index.jsView on unpkg · L9
dist/pty-hermes-wrapper.pyView file
path = dist/pty-hermes-wrapper.py kind = build_helper sizeBytes = 6726 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

dist/pty-hermes-wrapper.pyView on unpkg

Findings

3 Critical5 High5 Medium5 Low
CriticalSame File Env Network Executiondist/index.js
CriticalCredential Exfiltrationdist/index.js
CriticalTrigger Reachable Dangerous Capabilitydist/index.js
HighChild Processdist/configure-worker.js
HighShelldist/configure-worker.js
HighSandbox Evasion Gated Capabilitydist/index.js
HighCross File Remote Execution Contextdist/configure-worker.js
HighRuntime Package Installdist/configure-worker.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/configure-worker.js
MediumShips Build Helperdist/pty-hermes-wrapper.py
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings