registry  /  @thecolonylab/hivemind  /  0.2.7

@thecolonylab/hivemind@0.2.7

Forager — the CLI that runs on your machine and executes for the Hivemind brain. Describe a flow in plain English, an AI agent drives a real browser and reports pass/fail. No LLM key needed on this machine.

Static Scan Results

scanned 1h ago · by rust-scanner

Static analysis flagged 11 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 32 file(s), 99.2 KB of source, external domains: app.thecolonylab.com

Source & flagged code

3 flagged · loading source
dist/commands/init.jsView file
3import { mkdir, readFile, writeFile, copyFile, access } from 'node:fs/promises'; L4: import { execFile } from 'node:child_process'; L5: import { promisify } from 'node:util';
High
Child Process

Package source references child process execution.

dist/commands/init.jsView on unpkg · L3
dist/commands/report.jsView file
2import { readFile } from 'node:fs/promises'; L3: import { exec } from 'node:child_process'; L4: import { readApiKey } from '../credentials.js'; L5: function serverUrl() { L6: return process.env.HIVEMIND_SERVER_URL || 'https://app.thecolonylab.com'; L7: }
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/commands/report.jsView on unpkg · L2
2import { readFile } from 'node:fs/promises'; L3: import { exec } from 'node:child_process'; L4: import { readApiKey } from '../credentials.js'; L5: function serverUrl() { L6: return process.env.HIVEMIND_SERVER_URL || 'https://app.thecolonylab.com'; L7: } L8: function open(url) { L9: const opener = process.platform === 'darwin' ? 'open' : process.platform === 'win32' ? 'start' : 'xdg-open'; L10: exec(`${opener} "${url}"`); ... L12: export async function reportCommand() { L13: const pointerPath = join(process.cwd(), 'hive', 'last-run.json'); L14: try {
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/commands/report.jsView on unpkg · L2

Findings

4 High3 Medium4 Low
HighChild Processdist/commands/init.js
HighShell
HighSame File Env Network Executiondist/commands/report.js
HighSandbox Evasion Gated Capabilitydist/commands/report.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings