registry  /  @tuned-tensor/local  /  0.2.5

@tuned-tensor/local@0.2.5

⚠ Under review

TT Local: tuning tensors locally on hardware you control.

Static Scan Results

scanned 4h ago · by rust-scanner

Static analysis flagged 8 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 18 file(s), 202 KB of source, external domains: openrouter.ai

Source & flagged code

3 flagged · loading source
dist/openrouter.jsView file
17export async function openRouterChat(messages, options) { L18: const apiKey = process.env[options.apiKeyEnv]; L19: if (!apiKey) { ... L24: try { L25: const response = await fetch("https://openrouter.ai/api/v1/chat/completions", { L26: method: "POST", ... L33: }, L34: body: JSON.stringify({ L35: model: options.model, ... L44: if (!response.ok) { L45: const text = await response.text().catch(() => ""); L46: throw new OpenRouterHttpError(`OpenRouter request failed (${response.status}): ${text.slice(0, 500)}`, response.status);
High
Credential Exfiltration

Source combines credential-like environment material and outbound requests; review data flow before blocking.

dist/openrouter.jsView on unpkg · L17
training/local-runner/src/train_dpo.pyView file
path = training/local-runner/src/train_dpo.py kind = build_helper sizeBytes = 10136 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

training/local-runner/src/train_dpo.pyView on unpkg
dist/store.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @tuned-tensor/local@0.2.0 matchedIdentity = npm:QHR1bmVkLXRlbnNvci9sb2NhbA:0.2.0 similarity = 0.389 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/store.jsView on unpkg

Findings

1 Critical1 High3 Medium3 Low
CriticalPrevious Version Dangerous Deltadist/store.js
HighCredential Exfiltrationdist/openrouter.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helpertraining/local-runner/src/train_dpo.py
LowScripts Present
LowFilesystem
LowUrl Strings