registry  /  @straiffi/archon  /  1.3.11

@straiffi/archon@1.3.11

⚠ Under review

Archon is a ticket-driven interface for AI-assisted code automation. Create tickets, plan features, then let an AI agent such as Claude or OpenCode implement them in isolated git worktrees.

Static Scan Results

scanned 2d ago · by rust-scanner

Static analysis flagged 15 finding(s) at 86.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedObfuscatedProtestwareTelemetryUrlStrings
Manifest
NoLicense
scanned 190 file(s), 6.30 MB of source, external domains: 127.0.0.1, api.github.com, archon.example.com, chevrotain.io, en.wikipedia.org, github.com, langium.org, radix-ui.com, react.dev, socket.io, www.w3.org, your-company.atlassian.net

Source & flagged code

3 flagged · loading source
dist/cli.jsView file
165L166: const serverModule = await import(pathToFileURL(DIST_SERVER_ENTRY_PATH).href) L167: if (typeof serverModule.registerShutdownHandlers === 'function') {
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/cli.jsView on unpkg · L165
dist/client/assets/index-Cs7XmROA.jsView file
72contains invisible/control Unicode U+200B (zero width space) `),t.push(`setup commands`)),rte(n.runServices)&&e.run_services.length>0&&(r.runServices=e.run_services.map(e=>({name:e.name??``,cmd:e.cmd,cwd:e.cwd??``})),t.push(`services`)),ite(n.testCommands)&&(e.test_commands??[]).length>0&&(r.testComm
Critical
Trojan Source Unicode

Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

dist/client/assets/index-Cs7XmROA.jsView on unpkg · L72
dist/client/assets/jetbrains-mono-latin-wght-normal-B9CIFXIH.woff2View file
path = dist/client/assets/jetbrains-mono-latin-wght-normal-B9CIFXIH.woff2 kind = high_entropy_blob sizeBytes = 40404 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

dist/client/assets/jetbrains-mono-latin-wght-normal-B9CIFXIH.woff2View on unpkg

Findings

1 Critical1 High5 Medium8 Low
CriticalTrojan Source Unicodedist/client/assets/index-Cs7XmROA.js
HighShips High Entropy Blobdist/client/assets/jetbrains-mono-latin-wght-normal-B9CIFXIH.woff2
MediumDynamic Requiredist/cli.js
MediumNetwork
MediumEnvironment Vars
MediumProtestware
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings
LowNo License