registry  /  @venturewild/workspace  /  0.6.36

@venturewild/workspace@0.6.36

⚠ Under review

Claude Code Web — Replit/Lovable-style chat-first browser UI that wraps the AI agent already installed on your machine.

Static Scan Results

scanned 4d ago · by rust-scanner

Static analysis flagged 13 finding(s) at 86.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 67 file(s), 1.76 MB of source, external domains: 127.0.0.1, api.anthropic.com, api.z.ai, bellard.org, claude.ai, fb.me, github.com, lea.verou.me, opensource.org, reactjs.org, registry.npmjs.org, sync.venturewild.llc, www.w3.org

Source & flagged code

3 flagged · loading source
server/src/skills.mjsView file
37contains invisible/control Unicode U+FEFF (zero width no-break space) const m = text.match(/^<U+FEFF>?---\s*\r?\n([\s\S]*?)\r?\n---/);
Critical
Trojan Source Unicode

Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

server/src/skills.mjsView on unpkg · L37
Trigger-reachable chain: manifest.bin -> server/bin/wild-workspace.mjs -> server/src/index.mjs -> server/src/skills.mjs Reachable file contains a blocking source-risk pattern.
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

server/src/skills.mjsView on unpkg
web/dist/assets/atkinson-hyperlegible-latin-700-normal-GZI4o3u0.woff2View file
path = web/dist/assets/atkinson-hyperlegible-latin-700-normal-GZI4o3u0.woff2 kind = high_entropy_blob sizeBytes = 17524 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

web/dist/assets/atkinson-hyperlegible-latin-700-normal-GZI4o3u0.woff2View on unpkg

Findings

2 Critical1 High4 Medium6 Low
CriticalTrojan Source Unicodeserver/src/skills.mjs
CriticalTrigger Reachable Dangerous Capabilityserver/src/skills.mjs
HighShips High Entropy Blobweb/dist/assets/atkinson-hyperlegible-latin-700-normal-GZI4o3u0.woff2
MediumDynamic Require
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings