registry  /  @telora/daemon  /  0.19.74

@telora/daemon@0.19.74

⚠ Under review

Agent orchestration daemon for Telora - spawns and manages Claude Code instances

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 13 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 366 file(s), 2.67 MB of source, external domains: 127.0.0.1, api.anthropic.com, api.github.com, api.openai.com, api.osv.dev, api.syntelyos.com

Source & flagged code

4 flagged · loading source
dist/unified-shell.jsView file
27import { fileURLToPath } from 'node:url'; L28: import { spawn, execFileSync } from 'node:child_process'; L29: import { loadUnifiedConfig, loadEnvConfig, acquirePidLock, releasePidLock, PidLockError, } from '@telora/daemon-core';
High
Child Process

Package source references child process execution.

dist/unified-shell.jsView on unpkg · L27
dist/self-update.jsView file
12* Three installation modes: L13: * - **npm**: Installed globally via `npm install -g @telora/daemon`. L14: * Updates via `npm install -g @telora/daemon@latest`. ... L21: */ L22: import { execFileSync, execFile } from 'node:child_process'; L23: import { existsSync, readFileSync, writeFileSync, mkdirSync, rmSync } from 'node:fs';
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/self-update.jsView on unpkg · L12
scripts/telora-daemon-wrapper.shView file
path = scripts/telora-daemon-wrapper.sh kind = build_helper sizeBytes = 774 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

scripts/telora-daemon-wrapper.shView on unpkg
dist/cli/connect.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @telora/daemon@0.19.26 matchedIdentity = npm:QHRlbG9yYS9kYWVtb24:0.19.26 similarity = 0.717 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/cli/connect.jsView on unpkg

Findings

1 Critical3 High4 Medium5 Low
CriticalPrevious Version Dangerous Deltadist/cli/connect.js
HighChild Processdist/unified-shell.js
HighShell
HighRuntime Package Installdist/self-update.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperscripts/telora-daemon-wrapper.sh
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings