registry  /  @sma1lboy/kobe  /  0.7.59

@sma1lboy/kobe@0.7.59

⚠ Under review

TUI orchestrator for Claude Code (codename)

Static Scan Results

scanned 6d ago · by rust-scanner

Static analysis flagged 20 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsFilesystemNetworkWebSocket
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
Manifest
NoLicense
scanned 38 file(s), 1.93 MB of source, external domains: 127.0.0.1, api.github.com, api.openai.com, github.com, json.schemastore.org, opencode.ai, prosemirror.net, raw.githubusercontent.com, react.dev, registry.npmjs.org, www.w3.org

Source & flagged code

10 flagged · loading source
package.jsonView file
scripts.postinstall = bun run scripts/check-preview-deps.ts || true
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = bun run scripts/check-preview-deps.ts || true
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
dist/cli/index.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @sma1lboy/kobe@0.7.57 matchedIdentity = npm:QHNtYTFsYm95L2tvYmU:0.7.57 similarity = 0.838 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version.

dist/cli/index.jsView on unpkg
2// @bun L3: var lO=Object.defineProperty;var $O=(J)=>J;function aO(J,z){this[J]=$O.bind(null,z)}var H1=(J,z)=>{for(var Z in z)lO(J,Z,{get:z[Z],enumerable:!0,configurable:!0,set:aO.bind(z,Z)})}... L4: `).filter((Z)=>Z.length>0)}wrapCommand(J,z={}){let Z=z.cwd?`cd ${$Q(z.cwd)} && ${J}`:J;return`${lQ(this.spec,{tty:z.tty}).map(BA).join(" ")} ${$Q(Z)}`}}var $Q,jA,AV=(J,z)=>{let[Z,....
High
Child Process

Package source references child process execution.

dist/cli/index.jsView on unpkg · L2
2// @bun L3: var lO=Object.defineProperty;var $O=(J)=>J;function aO(J,z){this[J]=$O.bind(null,z)}var H1=(J,z)=>{for(var Z in z)lO(J,Z,{get:z[Z],enumerable:!0,configurable:!0,set:aO.bind(z,Z)})}... L4: `).filter((Z)=>Z.length>0)}wrapCommand(J,z={}){let Z=z.cwd?`cd ${$Q(z.cwd)} && ${J}`:J;return`${lQ(this.spec,{tty:z.tty}).map(BA).join(" ")} ${$Q(Z)}`}}var $Q,jA,AV=(J,z)=>{let[Z,....
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/cli/index.jsView on unpkg · L2
2// @bun L3: var lO=Object.defineProperty;var $O=(J)=>J;function aO(J,z){this[J]=$O.bind(null,z)}var H1=(J,z)=>{for(var Z in z)lO(J,Z,{get:z[Z],enumerable:!0,configurable:!0,set:aO.bind(z,Z)})}... L4: `).filter((Z)=>Z.length>0)}wrapCommand(J,z={}){let Z=z.cwd?`cd ${$Q(z.cwd)} && ${J}`:J;return`${lQ(this.spec,{tty:z.tty}).map(BA).join(" ")} ${$Q(Z)}`}}var $Q,jA,AV=(J,z)=>{let[Z,....
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/cli/index.jsView on unpkg · L2
2// @bun L3: var lO=Object.defineProperty;var $O=(J)=>J;function aO(J,z){this[J]=$O.bind(null,z)}var H1=(J,z)=>{for(var Z in z)lO(J,Z,{get:z[Z],enumerable:!0,configurable:!0,set:aO.bind(z,Z)})}... L4: `).filter((Z)=>Z.length>0)}wrapCommand(J,z={}){let Z=z.cwd?`cd ${$Q(z.cwd)} && ${J}`:J;return`${lQ(this.spec,{tty:z.tty}).map(BA).join(" ")} ${$Q(Z)}`}}var $Q,jA,AV=(J,z)=>{let[Z,....
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/cli/index.jsView on unpkg · L2
136`),process.exit(2)}function YD(J){try{return yS(zj(process.cwd(),J),"utf8")}catch(z){pZ(`cannot read ${J}: ${z instanceof Error?z.message:String(z)}`)}}function TS(J){let z={};for(... L137: `);return}let{getRepoInitOverride:Y,setRepoInitOverride:X,resolveRepoRoot:G}=await Promise.resolve().then(() => (S1(),zZ)),{existsSync:q}=await import("fs"),{join:H}=await import("... L138: `)});import{spawnSync as ES}from"child_process";function hS(J){let[z,Z]=J.split("/");if(!z||!Z)throw Error(`invalid GitHub repository slug: ${J}`);return{owner:z,name:Z}}function q...
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/cli/index.jsView on unpkg · L136
2// @bun L3: var lO=Object.defineProperty;var $O=(J)=>J;function aO(J,z){this[J]=$O.bind(null,z)}var H1=(J,z)=>{for(var Z in z)lO(J,Z,{get:z[Z],enumerable:!0,configurable:!0,set:aO.bind(z,Z)})}... L4: `).filter((Z)=>Z.length>0)}wrapCommand(J,z={}){let Z=z.cwd?`cd ${$Q(z.cwd)} && ${J}`:J;return`${lQ(this.spec,{tty:z.tty}).map(BA).join(" ")} ${$Q(Z)}`}}var $Q,jA,AV=(J,z)=>{let[Z,.... ... L17: `);while(z!==-1){let Z=this.buffer.slice(0,z);if(this.buffer=this.buffer.slice(z+1),Z.trim().length>0)this.onLine(Z);z=this.buffer.indexOf(` L18: `)}}onLine(J){let z;try{z=JSON.parse(J)}catch(Y){QJ("client-frame",Y);return}if(z.type==="event"){this.emit(z);return}if(z.type!=="response")return;let Z=this.pending.get(z.id);if(... L19: `).map((X)=>X.trim()).filter(Boolean)[0];if(!Y)return;if(Y.startsWith("claude:")&&Y.includes("aliased to")){let X=Y.split("aliased to")[1]?.trim();return X&&dA(X)?X:void 0}return Y... ... L21: `).map((X)=>X.trim()).filter(Boolean)[0];if(!Y)return;if(Y.startsWith("copilot:")&&Y.includes("aliased to")){let X=Y.split("aliased to")[1]?.trim();return X&&sA(X)?X:void 0}return ... L22: `)){let X=Y.trim();if(!X)continue;if(!SZ(X))continue;let G;try{G=JSON.parse(X)}catch{c
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/cli/index.jsView on unpkg · L2
dist/pulse-n3cq1btw.wavView file
path = dist/pulse-n3cq1btw.wav kind = high_entropy_blob sizeBytes = 176444 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

dist/pulse-n3cq1btw.wavView on unpkg

Findings

1 Critical6 High5 Medium8 Low
CriticalPrevious Version Dangerous Deltadist/cli/index.js
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processdist/cli/index.js
HighSame File Env Network Executiondist/cli/index.js
HighCommand Output Exfiltrationdist/cli/index.js
HighRuntime Package Installdist/cli/index.js
HighShips High Entropy Blobdist/pulse-n3cq1btw.wav
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requiredist/cli/index.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowWeak Cryptodist/cli/index.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings
LowNo License