registry  /  @stridekit/core-sdk  /  0.0.1

@stridekit/core-sdk@0.0.1

⚠ Under review

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 8 finding(s) at 86.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetworkWebSocket
Supply chain
HighEntropyStrings
ManifestNo manifest risk signals triggered.
scanned 4 file(s), 1.36 MB of source

Source & flagged code

2 flagged · loading source
index.cjs.jsView file
50this file except in compliance with the License. You may obtain a copy of the L51: License at http://www.apache.org/licenses/LICENSE-2.0 L52: ... L2546: } L2547: this.ws.send(message); L2548: } ... L2862: } else if (_instanceof$2(event.data, Blob)) { L2863: event.data.arrayBuffer().then(function(buf) { L2864: return _this.handleBinaryMessage(new Uint8Array(buf)); ... L3355: * L3356: * Use this for non-interactive commands where you want captured stdout/stderr L3357: * back as a `CommandFinished` result, or a live `Command` handle when
Critical
Remote Asset Decode Execute

Source fetches a remote non-code asset, decodes its contents, and dynamically executes the decoded payload.

index.cjs.jsView on unpkg · L50
node.cjs.jsView file
Trigger-reachable chain: manifest.main -> node.cjs.js Reachable file contains a blocking source-risk pattern.
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

node.cjs.jsView on unpkg

Findings

2 Critical1 High3 Medium2 Low
CriticalRemote Asset Decode Executeindex.cjs.js
CriticalTrigger Reachable Dangerous Capabilitynode.cjs.js
HighChild Process
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowFilesystem
LowHigh Entropy Strings