registry  /  @sma1lboy/kobe  /  0.7.63

@sma1lboy/kobe@0.7.63

⚠ Under review

TUI orchestrator for Claude Code (codename)

Static Scan Results

scanned 5d ago · by rust-scanner

Static analysis flagged 20 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsFilesystemNetworkWebSocket
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
Manifest
NoLicense
scanned 38 file(s), 1.94 MB of source, external domains: 127.0.0.1, api.github.com, api.openai.com, github.com, json.schemastore.org, opencode.ai, prosemirror.net, raw.githubusercontent.com, react.dev, registry.npmjs.org, www.w3.org

Source & flagged code

10 flagged · loading source
package.jsonView file
scripts.postinstall = bun run scripts/check-preview-deps.ts || true
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = bun run scripts/check-preview-deps.ts || true
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
dist/cli/index.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @sma1lboy/kobe@0.7.57 matchedIdentity = npm:QHNtYTFsYm95L2tvYmU:0.7.57 similarity = 0.811 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/cli/index.jsView on unpkg
2// @bun L3: var M2=Object.defineProperty;var O2=(J)=>J;function A2(J,z){this[J]=O2.bind(null,z)}var X1=(J,z)=>{for(var Z in z)M2(J,Z,{get:z[Z],enumerable:!0,configurable:!0,set:A2.bind(z,Z)})}... L4: `).filter((Z)=>Z.length>0)}wrapCommand(J,z={}){let Z=z.cwd?`cd ${Yq(z.cwd)} && ${J}`:J;return`${Zq(this.spec,{tty:z.tty}).map($2).join(" ")} ${Yq(Z)}`}}var Yq,l2,tW=(J,z)=>{let[Z,....
High
Child Process

Package source references child process execution.

dist/cli/index.jsView on unpkg · L2
2// @bun L3: var M2=Object.defineProperty;var O2=(J)=>J;function A2(J,z){this[J]=O2.bind(null,z)}var X1=(J,z)=>{for(var Z in z)M2(J,Z,{get:z[Z],enumerable:!0,configurable:!0,set:A2.bind(z,Z)})}... L4: `).filter((Z)=>Z.length>0)}wrapCommand(J,z={}){let Z=z.cwd?`cd ${Yq(z.cwd)} && ${J}`:J;return`${Zq(this.spec,{tty:z.tty}).map($2).join(" ")} ${Yq(Z)}`}}var Yq,l2,tW=(J,z)=>{let[Z,.... ... L6: `)}return Sj+[q,Y].join(` L7: `)}function GN(J){let z=J.lastIndexOf("/");return z<=0?".":J.slice(0,z)}function YU(J){return`cd ${s0(J)} && while :; do clear; printf "\\033[1m# %s\\033[0m\\n\\n" ${s0(J)}; ... L8: `).map((X)=>X.trim()).filter(Boolean)[0];if(!Y)return;if(Y.startsWith("claude:")&&Y.includes("aliased to")){let X=Y.split("aliased to")[1]?.trim();return X&&WN(X)?X:void 0}return Y...
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/cli/index.jsView on unpkg · L2
2// @bun L3: var M2=Object.defineProperty;var O2=(J)=>J;function A2(J,z){this[J]=O2.bind(null,z)}var X1=(J,z)=>{for(var Z in z)M2(J,Z,{get:z[Z],enumerable:!0,configurable:!0,set:A2.bind(z,Z)})}... L4: `).filter((Z)=>Z.length>0)}wrapCommand(J,z={}){let Z=z.cwd?`cd ${Yq(z.cwd)} && ${J}`:J;return`${Zq(this.spec,{tty:z.tty}).map($2).join(" ")} ${Yq(Z)}`}}var Yq,l2,tW=(J,z)=>{let[Z,.... ... L6: `)}return Sj+[q,Y].join(` L7: `)}function GN(J){let z=J.lastIndexOf("/");return z<=0?".":J.slice(0,z)}function YU(J){return`cd ${s0(J)} && while :; do clear; printf "\\033[1m# %s\\033[0m\\n\\n" ${s0(J)}; ... L8: `).map((X)=>X.trim()).filter(Boolean)[0];if(!Y)return;if(Y.startsWith("claude:")&&Y.includes("aliased to")){let X=Y.split("aliased to")[1]?.trim();return X&&WN(X)?X:void 0}return Y...
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/cli/index.jsView on unpkg · L2
6`)}return Sj+[q,Y].join(` L7: `)}function GN(J){let z=J.lastIndexOf("/");return z<=0?".":J.slice(0,z)}function YU(J){return`cd ${s0(J)} && while :; do clear; printf "\\033[1m# %s\\033[0m\\n\\n" ${s0(J)}; ... L8: `).map((X)=>X.trim()).filter(Boolean)[0];if(!Y)return;if(Y.startsWith("claude:")&&Y.includes("aliased to")){let X=Y.split("aliased to")[1]?.trim();return X&&WN(X)?X:void 0}return Y...
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/cli/index.jsView on unpkg · L6
210`),process.exit(2)}function $O(J){try{return rw(Gj(process.cwd(),PJ(J)),"utf8")}catch(z){HY(`cannot read ${J}: ${z instanceof Error?z.message:String(z)}`)}}function ow(J){let z={};... L211: `);return}let{getRepoInitOverride:Y,setRepoInitOverride:X,resolveRepoRoot:Q}=await Promise.resolve().then(() => (I1(),jZ)),{existsSync:q}=await import("fs"),{join:H}=await import("... L212: `)});async function rO(J={}){let z=J.mode==="require-running"?await iJ():await Ez();if(!z)return null;return{client:z,close:()=>z.close()}}var oO=C(()=>{IJ()});var qA={};X1(qA,{ver...
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/cli/index.jsView on unpkg · L210
2// @bun L3: var M2=Object.defineProperty;var O2=(J)=>J;function A2(J,z){this[J]=O2.bind(null,z)}var X1=(J,z)=>{for(var Z in z)M2(J,Z,{get:z[Z],enumerable:!0,configurable:!0,set:A2.bind(z,Z)})}... L4: `).filter((Z)=>Z.length>0)}wrapCommand(J,z={}){let Z=z.cwd?`cd ${Yq(z.cwd)} && ${J}`:J;return`${Zq(this.spec,{tty:z.tty}).map($2).join(" ")} ${Yq(Z)}`}}var Yq,l2,tW=(J,z)=>{let[Z,.... L5: `)}function BU(J,z,Z){let Y=mJ(J,Z),X=z?.initScript?.trim();if(!X)return Y;let Q=Ej(z?.timeoutSeconds),q=QN(X,Q);if(z?.markerPath){let H=s0(z.markerPath),j=s0(GN(z.markerPath));ret... L6: `)}return Sj+[q,Y].join(` L7: `)}function GN(J){let z=J.lastIndexOf("/");return z<=0?".":J.slice(0,z)}function YU(J){return`cd ${s0(J)} && while :; do clear; printf "\\033[1m# %s\\033[0m\\n\\n" ${s0(J)}; ... L8: `).map((X)=>X.trim()).filter(Boolean)[0];if(!Y)return;if(Y.startsWith("claude:")&&Y.includes("aliased to")){let X=Y.split("aliased to")[1]?.trim();return X&&WN(X)?X:void 0}return Y... ... L31: `).map((B)=>B.split("\t")).filter((B)=>(B[0]?.trim()??"")!=="");if(Y.length===0)return;if(Y.some((B)=>B[5]?.trim()==="1"))return;if(Y.some((B)=>(B[6]?.trim()??"")!==""))return;if(Y... L32: `).map((Y)=>Y.split(
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/cli/index.jsView on unpkg · L2
dist/pulse-n3cq1btw.wavView file
path = dist/pulse-n3cq1btw.wav kind = high_entropy_blob sizeBytes = 176444 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

dist/pulse-n3cq1btw.wavView on unpkg

Findings

1 Critical6 High5 Medium8 Low
CriticalPrevious Version Dangerous Deltadist/cli/index.js
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processdist/cli/index.js
HighSame File Env Network Executiondist/cli/index.js
HighCommand Output Exfiltrationdist/cli/index.js
HighRuntime Package Installdist/cli/index.js
HighShips High Entropy Blobdist/pulse-n3cq1btw.wav
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requiredist/cli/index.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowWeak Cryptodist/cli/index.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings
LowNo License