registry  /  @whfzgyx/ojo-canvas-sdk  /  0.1.6

@whfzgyx/ojo-canvas-sdk@0.1.6

⚠ Under review

`@touchine/ojo-canvas-sdk` is the browser-facing OJO project canvas SDK.

Static Scan Results

scanned 3h ago · by rust-scanner

Static analysis flagged 13 finding(s) at 86.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessDynamicRequireFilesystemNetwork
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
Manifest
NoLicense
scanned 20 file(s), 3.39 MB of source, external domains: fb.me, figma.com, github.com, irise-resources-production-us-east-1-972778198637.s3.us-east-1.amazonaws.com, irise-resources-staging-us-east-1-972778198637.s3.us-east-1.amazonaws.com, irise-web-canvas-public-assets.rogerhorsleymorris.workers.dev, ojo.dev, prosemirror.net, radix-ui.com, react.dev, reactrouter.com, www.w3.org
Oversized source lightweight scan
dist/runtime/assets/contribution-BiS0puKe.js3.71 MB file, sampled 256 KB
ChildProcessHighEntropyStringsMinifiedUrlStringsirise-web-canvas-public-assets.rogerhorsleymorris.workers.devwww.w3.org

Source & flagged code

4 flagged · loading source
dist/runtime/assets/preview-mode-utils-BY_tGYLK.jsView file
31patternName = google_api_key severity = high line = 31 matchedText = caused b...it(`
High
High Secret

Package contains a high-severity secret pattern.

dist/runtime/assets/preview-mode-utils-BY_tGYLK.jsView on unpkg · L31
31patternName = google_api_key severity = high line = 31 matchedText = caused b...it(`
High
Secret Pattern

Google API key in dist/runtime/assets/preview-mode-utils-BY_tGYLK.js

dist/runtime/assets/preview-mode-utils-BY_tGYLK.jsView on unpkg · L31
dist/runtime/assets/ja-CO70Pb1Z.jsView file
3contains invisible/control Unicode U+200B (zero width space) これでターミナルに戻ることができます。`,authorizedCode:`認証されたデバイスコード`,authorizeAnother:`別のデバイスを認証する`,returnHome:`家に帰る`},confirm:{eyebrow:`CLI デバイスの認証`,title:`Ojo CLIを認可する`,description:`Ojo CLI へのアクセスを確認します。`,browserCode:`ブラウザ確認コード`,deviceCode:`デバイスコード`,approv
Critical
Trojan Source Unicode

Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

dist/runtime/assets/ja-CO70Pb1Z.jsView on unpkg · L3
dist/runtime/assets/contribution-BiS0puKe.jsView file
path = [redacted]-BiS0puKe.js kind = oversized_source_file sizeBytes = 3895009 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/runtime/assets/contribution-BiS0puKe.jsView on unpkg

Findings

1 Critical3 High3 Medium6 Low
CriticalTrojan Source Unicodedist/runtime/assets/ja-CO70Pb1Z.js
HighHigh Secretdist/runtime/assets/preview-mode-utils-BY_tGYLK.js
HighOversized Source Filedist/runtime/assets/contribution-BiS0puKe.js
HighSecret Patterndist/runtime/assets/preview-mode-utils-BY_tGYLK.js
MediumDynamic Require
MediumNetwork
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings
LowNo License