registry  /  @sma1lboy/kobe  /  0.7.56

@sma1lboy/kobe@0.7.56

TUI orchestrator for Claude Code (codename)

Static Scan Results

scanned 8d ago · by rust-scanner

Static analysis flagged 19 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsFilesystemNetworkWebSocket
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
Manifest
NoLicense
scanned 37 file(s), 1.91 MB of source, external domains: 127.0.0.1, api.github.com, api.openai.com, github.com, json.schemastore.org, opencode.ai, prosemirror.net, raw.githubusercontent.com, react.dev, registry.npmjs.org, www.w3.org

Source & flagged code

9 flagged · loading source
package.jsonView file
scripts.postinstall = bun run scripts/check-preview-deps.ts || true
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = bun run scripts/check-preview-deps.ts || true
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
dist/cli/index.jsView file
2// @bun L3: var s3=Object.defineProperty;var t3=(J)=>J;function e3(J,z){this[J]=t3.bind(null,z)}var Q1=(J,z)=>{for(var Y in z)s3(J,Y,{get:z[Y],enumerable:!0,configurable:!0,set:e3.bind(z,Y)})}... L4: `).filter((Y)=>Y.length>0)}wrapCommand(J,z={}){let Y=z.cwd?`cd ${zZ(z.cwd)} && ${J}`:J;return`${QX(this.spec,{tty:z.tty}).map(KO).join(" ")} ${zZ(Y)}`}}var lW=(J,z)=>{let[Y,...Z]=J...
High
Child Process

Package source references child process execution.

dist/cli/index.jsView on unpkg · L2
2// @bun L3: var s3=Object.defineProperty;var t3=(J)=>J;function e3(J,z){this[J]=t3.bind(null,z)}var Q1=(J,z)=>{for(var Y in z)s3(J,Y,{get:z[Y],enumerable:!0,configurable:!0,set:e3.bind(z,Y)})}... L4: `).filter((Y)=>Y.length>0)}wrapCommand(J,z={}){let Y=z.cwd?`cd ${zZ(z.cwd)} && ${J}`:J;return`${QX(this.spec,{tty:z.tty}).map(KO).join(" ")} ${zZ(Y)}`}}var lW=(J,z)=>{let[Y,...Z]=J...
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/cli/index.jsView on unpkg · L2
2// @bun L3: var s3=Object.defineProperty;var t3=(J)=>J;function e3(J,z){this[J]=t3.bind(null,z)}var Q1=(J,z)=>{for(var Y in z)s3(J,Y,{get:z[Y],enumerable:!0,configurable:!0,set:e3.bind(z,Y)})}... L4: `).filter((Y)=>Y.length>0)}wrapCommand(J,z={}){let Y=z.cwd?`cd ${zZ(z.cwd)} && ${J}`:J;return`${QX(this.spec,{tty:z.tty}).map(KO).join(" ")} ${zZ(Y)}`}}var lW=(J,z)=>{let[Y,...Z]=J...
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/cli/index.jsView on unpkg · L2
2// @bun L3: var s3=Object.defineProperty;var t3=(J)=>J;function e3(J,z){this[J]=t3.bind(null,z)}var Q1=(J,z)=>{for(var Y in z)s3(J,Y,{get:z[Y],enumerable:!0,configurable:!0,set:e3.bind(z,Y)})}... L4: `).filter((Y)=>Y.length>0)}wrapCommand(J,z={}){let Y=z.cwd?`cd ${zZ(z.cwd)} && ${J}`:J;return`${QX(this.spec,{tty:z.tty}).map(KO).join(" ")} ${zZ(Y)}`}}var lW=(J,z)=>{let[Y,...Z]=J...
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/cli/index.jsView on unpkg · L2
135`),process.exit(2)}function R4(J){try{return uS(oH(process.cwd(),J),"utf8")}catch(z){lY(`cannot read ${J}: ${z instanceof Error?z.message:String(z)}`)}}function ES(J){let z={};for(... L136: `);return}let{getRepoInitOverride:Z,setRepoInitOverride:G,resolveRepoRoot:X}=await Promise.resolve().then(() => (A1(),tz)),{existsSync:Q}=await import("fs"),{join:H}=await import("... L137: `)});import{spawnSync as hS}from"child_process";function cS(J){let[z,Y]=J.split("/");if(!z||!Y)throw Error(`invalid GitHub repository slug: ${J}`);return{owner:z,name:Y}}function k...
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/cli/index.jsView on unpkg · L135
2// @bun L3: var s3=Object.defineProperty;var t3=(J)=>J;function e3(J,z){this[J]=t3.bind(null,z)}var Q1=(J,z)=>{for(var Y in z)s3(J,Y,{get:z[Y],enumerable:!0,configurable:!0,set:e3.bind(z,Y)})}... L4: `).filter((Y)=>Y.length>0)}wrapCommand(J,z={}){let Y=z.cwd?`cd ${zZ(z.cwd)} && ${J}`:J;return`${QX(this.spec,{tty:z.tty}).map(KO).join(" ")} ${zZ(Y)}`}}var lW=(J,z)=>{let[Y,...Z]=J... ... L17: `);while(z!==-1){let Y=this.buffer.slice(0,z);if(this.buffer=this.buffer.slice(z+1),Y.trim().length>0)this.onLine(Y);z=this.buffer.indexOf(` L18: `)}}onLine(J){let z;try{z=JSON.parse(J)}catch(Z){JJ("client-frame",Z);return}if(z.type==="event"){this.emit(z);return}if(z.type!=="response")return;let Y=this.pending.get(z.id);if(... L19: `).map((G)=>G.trim()).filter(Boolean)[0];if(!Z)return;if(Z.startsWith("claude:")&&Z.includes("aliased to")){let G=Z.split("aliased to")[1]?.trim();return G&&aO(G)?G:void 0}return Z... ... L21: `).map((G)=>G.trim()).filter(Boolean)[0];if(!Z)return;if(Z.startsWith("copilot:")&&Z.includes("aliased to")){let G=Z.split("aliased to")[1]?.trim();return G&&YA(G)?G:void 0}return ... L22: `)){let G=Z.trim();if(!G)continue;if(!kY(G))continue;let X;try{X=JSON.parse(G)}catch{c
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/cli/index.jsView on unpkg · L2
dist/pulse-n3cq1btw.wavView file
path = dist/pulse-n3cq1btw.wav kind = high_entropy_blob sizeBytes = 176444 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

dist/pulse-n3cq1btw.wavView on unpkg

Findings

6 High5 Medium8 Low
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processdist/cli/index.js
HighSame File Env Network Executiondist/cli/index.js
HighCommand Output Exfiltrationdist/cli/index.js
HighRuntime Package Installdist/cli/index.js
HighShips High Entropy Blobdist/pulse-n3cq1btw.wav
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requiredist/cli/index.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowWeak Cryptodist/cli/index.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings
LowNo License