registry  /  @yeaft/webchat-agent  /  1.0.105

@yeaft/webchat-agent@1.0.105

Remote worker agent for Yeaft Web Code Agent — connects the native Yeaft engine, CLI providers, and workbench tools

Static Scan Results

scanned 7d ago · by rust-scanner

Static analysis flagged 13 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 218 file(s), 2.52 MB of source, external domains: api.anthropic.com, api.deepseek.com, api.github.com, api.githubcopilot.com, api.openai.com, api.tavily.com, duckduckgo.com, generativelanguage.googleapis.com, github.com, html.duckduckgo.com, models.dev, nodejs.org, registry.npmjs.org, tavily.com, www.apple.com, www.bing.com

Source & flagged code

6 flagged · loading source
connection/upgrade.jsView file
1import { execFile, execFileSync, spawn } from 'child_process'; L2: import { writeFileSync, mkdirSync, existsSync, cpSync } from 'fs';
High
Child Process

Package source references child process execution.

connection/upgrade.jsView on unpkg · L1
28const isWin = platform() === 'win32'; L29: // Windows: use bare 'npm'/'pm2' + shell:true — cmd.exe finds them via PATH. L30: // This was the working pattern before ce58bbc. Absolute paths break when
High
Shell

Package source references shell execution.

connection/upgrade.jsView on unpkg · L28
1import { execFile, execFileSync, spawn } from 'child_process'; L2: import { writeFileSync, mkdirSync, existsSync, cpSync } from 'fs'; ... L20: export function resolveInstanceId() { L21: return ctx.CONFIG?.instanceId || process.env.YEAFT_AGENT_INSTANCE || DEFAULT_INSTANCE_ID; L22: } ... L28: const isWin = platform() === 'win32'; L29: // Windows: use bare 'npm'/'pm2' + shell:true — cmd.exe finds them via PATH. L30: // This was the working pattern before ce58bbc. Absolute paths break when ... L43: // Shared cleanup logic for restart/upgrade L44: function cleanupAndExit(exitCode) { L45: setTimeout(() => { ... L415: const serviceName = getServiceName(instanceId);
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

connection/upgrade.jsView on unpkg · L1
connection/upgrade-worker-template.jsView file
1'use strict'; L2: const fs = require('fs'); L3: const path = require('path');
Medium
Dynamic Require

Package source references dynamic require/import behavior.

connection/upgrade-worker-template.jsView on unpkg · L1
yeaft/tools/js-repl.jsView file
1/** L2: * js-repl.js — JavaScript REPL for evaluating expressions.
Medium
Unsafe Vm Context

Package source executes code through a VM context API.

yeaft/tools/js-repl.jsView on unpkg · L1
cli.jsView file
476} else { L477: execSync(`npm install -g ${pkg.name}@latest`, { stdio: 'inherit' }); L478: console.log(`Successfully upgraded to ${latest}`);
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

cli.jsView on unpkg · L476

Findings

3 High6 Medium4 Low
HighChild Processconnection/upgrade.js
HighShellconnection/upgrade.js
HighRuntime Package Installcli.js
MediumDynamic Requireconnection/upgrade-worker-template.js
MediumUnsafe Vm Contextyeaft/tools/js-repl.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistenceconnection/upgrade.js
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings