registry  /  @sma1lboy/kobe  /  0.7.78

@sma1lboy/kobe@0.7.78

TUI orchestrator for Claude Code (codename)

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 19 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsFilesystemNetworkWebSocket
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
Manifest
NoLicense
scanned 41 file(s), 2.67 MB of source, external domains: 127.0.0.1, api.github.com, api.openai.com, fburl.com, github.com, json.schemastore.org, opencode.ai, prosemirror.net, raw.githubusercontent.com, react.dev, reactjs.org, registry.npmjs.org, www.w3.org

Source & flagged code

9 flagged · loading source
package.jsonView file
scripts.postinstall = bun run scripts/check-preview-deps.ts || true
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = bun run scripts/check-preview-deps.ts || true
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
dist/cli/index.jsView file
2// @bun L3: var en=Object.create;var{getPrototypeOf:$i,defineProperty:vC,getOwnPropertyNames:Xi}=Object;var Ji=Object.prototype.hasOwnProperty;function Zi($){return this[$]}var zi,Qi,K0=($,X,J... L4: `).filter((J)=>J.length>0)}wrapCommand($,X={}){let J=X.cwd?`cd ${lF(X.cwd)} && ${$}`:$;return`${cF(this.spec,{tty:X.tty}).map(Ei).join(" ")} ${lF(J)}`}}var lF,gi,aP=($,X)=>{let[J,....
High
Child Process

Package source references child process execution.

dist/cli/index.jsView on unpkg · L2
2// @bun L3: var en=Object.create;var{getPrototypeOf:$i,defineProperty:vC,getOwnPropertyNames:Xi}=Object;var Ji=Object.prototype.hasOwnProperty;function Zi($){return this[$]}var zi,Qi,K0=($,X,J... L4: `).filter((J)=>J.length>0)}wrapCommand($,X={}){let J=X.cwd?`cd ${lF(X.cwd)} && ${$}`:$;return`${cF(this.spec,{tty:X.tty}).map(Ei).join(" ")} ${lF(J)}`}}var lF,gi,aP=($,X)=>{let[J,.... ... L6: `)}return tC+[W,Q].join(` L7: `)}function ii($){let X=$.lastIndexOf("/");return X<=0?".":$.slice(0,X)}function eP($){return`cd ${C2($)} && while :; do clear; printf "\\033[1m# %s\\033[0m\\n\\n" ${C2($)}; ... L8: `).map((Y)=>Y.trim()).filter(Boolean)[0];if(!Q)return;if(Q.startsWith("claude:")&&Q.includes("aliased to")){let Y=Q.split("aliased to")[1]?.trim();return Y&&ei(Y)?Y:void 0}return Q...
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/cli/index.jsView on unpkg · L2
2// @bun L3: var en=Object.create;var{getPrototypeOf:$i,defineProperty:vC,getOwnPropertyNames:Xi}=Object;var Ji=Object.prototype.hasOwnProperty;function Zi($){return this[$]}var zi,Qi,K0=($,X,J... L4: `).filter((J)=>J.length>0)}wrapCommand($,X={}){let J=X.cwd?`cd ${lF(X.cwd)} && ${$}`:$;return`${cF(this.spec,{tty:X.tty}).map(Ei).join(" ")} ${lF(J)}`}}var lF,gi,aP=($,X)=>{let[J,.... ... L6: `)}return tC+[W,Q].join(` L7: `)}function ii($){let X=$.lastIndexOf("/");return X<=0?".":$.slice(0,X)}function eP($){return`cd ${C2($)} && while :; do clear; printf "\\033[1m# %s\\033[0m\\n\\n" ${C2($)}; ... L8: `).map((Y)=>Y.trim()).filter(Boolean)[0];if(!Q)return;if(Q.startsWith("claude:")&&Q.includes("aliased to")){let Y=Q.split("aliased to")[1]?.trim();return Y&&ei(Y)?Y:void 0}return Q...
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/cli/index.jsView on unpkg · L2
6`)}return tC+[W,Q].join(` L7: `)}function ii($){let X=$.lastIndexOf("/");return X<=0?".":$.slice(0,X)}function eP($){return`cd ${C2($)} && while :; do clear; printf "\\033[1m# %s\\033[0m\\n\\n" ${C2($)}; ... L8: `).map((Y)=>Y.trim()).filter(Boolean)[0];if(!Q)return;if(Q.startsWith("claude:")&&Q.includes("aliased to")){let Y=Q.split("aliased to")[1]?.trim();return Y&&ei(Y)?Y:void 0}return Q...
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/cli/index.jsView on unpkg · L6
74`)){let[H,K]=W.split("\t");if(!H)continue;if(!q)q=H.trim();if(K?.trim()===X)return H.trim()}return J?q:""}async function T_($){return o_($,a_,!0)}async function vq($){return o_($,a... L75: `)){let Y=Number.parseInt(Q.trim(),10);if(!Number.isFinite(Y)||Y<=1)continue;if(Y===E21())continue;try{process.kill(-Y,"SIGTERM")}catch{}}}async function Vb($){await s_(["-s","-t",... L76:
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/cli/index.jsView on unpkg · L74
2// @bun L3: var en=Object.create;var{getPrototypeOf:$i,defineProperty:vC,getOwnPropertyNames:Xi}=Object;var Ji=Object.prototype.hasOwnProperty;function Zi($){return this[$]}var zi,Qi,K0=($,X,J... L4: `).filter((J)=>J.length>0)}wrapCommand($,X={}){let J=X.cwd?`cd ${lF(X.cwd)} && ${$}`:$;return`${cF(this.spec,{tty:X.tty}).map(Ei).join(" ")} ${lF(J)}`}}var lF,gi,aP=($,X)=>{let[J,.... L5: `)}function YS($,X,J){let Q=V$($,J),Y=X?.initScript?.trim();if(!Y)return Q;let q=JA(X?.timeoutSeconds),W=ni(Y,q);if(X?.markerPath){let H=C2(X.markerPath),K=C2(ii(X.markerPath));ret... L6: `)}return tC+[W,Q].join(` L7: `)}function ii($){let X=$.lastIndexOf("/");return X<=0?".":$.slice(0,X)}function eP($){return`cd ${C2($)} && while :; do clear; printf "\\033[1m# %s\\033[0m\\n\\n" ${C2($)}; ... L8: `).map((Y)=>Y.trim()).filter(Boolean)[0];if(!Q)return;if(Q.startsWith("claude:")&&Q.includes("aliased to")){let Y=Q.split("aliased to")[1]?.trim();return Y&&ei(Y)?Y:void 0}return Q... L9: `).map((Y)=>Y.trim()).filter(Boolean)[0];if(!Q)return;if(Q.startsWith("codex:")&&Q.includes("aliased to")){let Y=Q.split("aliased to")[1]?.trim();return Y&&za(Y)?Y:void 0}return Q}... L10: `).map((Y)=>Y.trim()).fil
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/cli/index.jsView on unpkg · L2
dist/pulse-n3cq1btw.wavView file
path = dist/pulse-n3cq1btw.wav kind = high_entropy_blob sizeBytes = 176444 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

dist/pulse-n3cq1btw.wavView on unpkg

Findings

6 High5 Medium8 Low
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processdist/cli/index.js
HighSame File Env Network Executiondist/cli/index.js
HighCommand Output Exfiltrationdist/cli/index.js
HighRuntime Package Installdist/cli/index.js
HighShips High Entropy Blobdist/pulse-n3cq1btw.wav
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requiredist/cli/index.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowWeak Cryptodist/cli/index.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings
LowNo License