registry  /  @viraatdas/rudder  /  2.10.16

@viraatdas/rudder@2.10.16

A Claude Code-style terminal app for running coding agents with worktree-isolated runs.

Static Scan Results

scanned 13d ago · by rust-scanner

Static analysis flagged 14 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 34 file(s), 584 KB of source, external domains: 127.0.0.1, api.anthropic.com, github.com, jj-vcs.github.io, models.dev, registry.npmjs.org, rudder-cloud-control.fly.dev, www.w3.org

Source & flagged code

7 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.mjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.mjs
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
dist/util.jsView file
1import { spawn, spawnSync } from "node:child_process"; L2: import { createHash, randomUUID } from "node:crypto"; ... L7: import readline from "node:readline/promises"; L8: import { stdin as input, stdout as output } from "node:process"; L9: const DEFAULT_PATH = [ ... L24: export function rudderHome() { L25: return path.resolve(process.env.RUDDER_HOME?.trim() || path.join(os.homedir(), ".rudder")); L26: } ... L65: const raw = await fsp.readFile(filePath, "utf8"); L66: return JSON.parse(raw); L67: } ... L160: const TOOL_INSTALL_HINTS = {
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/util.jsView on unpkg · L1
dist/cloud.jsView file
1import { spawn } from "node:child_process"; L2: import { createHash } from "node:crypto"; ... L5: import path from "node:path"; L6: import { WebSocket } from "ws"; L7: import { currentBranch, currentCommit, findRepoRoot } from "./git.js"; ... L30: // Shell rc so PATH/aliases/env exports come along L31: "~/.zshrc", L32: "~/.zprofile", ... L60: // can ship; .ssh/.gnupg/keychains stay blocked because they contain L61: // private key material that isn't recoverable if leaked. L62: const SECRET_PATH_PARTS = new Set([ ... L250: method: "POST",
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/cloud.jsView on unpkg · L1
scripts/postinstall.mjsView file
5// install: on any problem it prints guidance and exits 0. L6: import { spawnSync } from "node:child_process"; L7: ... L13: try { L14: const probe = process.platform === "win32" ? "where" : "which"; L15: return spawnSync(probe, [cmd], { stdio: "ignore" }).status === 0; ... L34: warn(" Rust: cargo install jj-cli"); L35: warn(" Other: https://jj-vcs.github.io/jj/latest/install-and-setup/"); L36: warn("Then run: rudder doctor"); ... L39: function main() { L40: if (process.env.RUDDER_SKIP_POSTINSTALL) { L41: return;
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

scripts/postinstall.mjsView on unpkg · L5
dist/native/rudder-nativeView file
path = dist/native/rudder-native kind = native_binary sizeBytes = 2575296 magicHex = [redacted]
Medium
Ships Native Binary

Package ships native binary artifacts.

dist/native/rudder-nativeView on unpkg
assets/sounds/ping.mp3View file
path = assets/sounds/ping.mp3 kind = high_entropy_blob sizeBytes = 40704 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

assets/sounds/ping.mp3View on unpkg

Findings

3 High6 Medium5 Low
HighInstall Time Lifecycle Scriptspackage.json
HighSandbox Evasion Gated Capabilityscripts/postinstall.mjs
HighShips High Entropy Blobassets/sounds/ping.mp3
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/cloud.js
MediumShips Native Binarydist/native/rudder-native
MediumStructural Risk Force Deep Review
LowScripts Present
LowWeak Cryptodist/util.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings