registry  /  acptoapi  /  1.0.133

acptoapi@1.0.133

⚠ Under review

Anthropic SDK to multi-provider streaming bridge - converts Anthropic message format and tool calls to Gemini, OpenAI-compatible APIs

Static Scan Results

scanned 14d ago · by rust-scanner

Static analysis flagged 13 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 75 file(s), 440 KB of source, external domains: 127.0.0.1, 247420.xyz, api.anthropic.com, api.cerebras.ai, api.cloudflare.com, api.cohere.com, api.deepseek.com, api.elevenlabs.io, api.fireworks.ai, api.groq.com, api.llama-api.com, api.mistral.ai, api.openai.com, api.opencode.ai, api.perplexity.ai, api.replicate.com, api.sambanova.ai, api.together.xyz, api.voyageai.com, api.x.ai, api.z.ai, chatjimmy.ai, codestral.mistral.ai, dashscope.aliyuncs.com, example.com, generativelanguage.googleapis.com, github.com, integrate.api.nvidia.com, openrouter.ai, schema.org, unpkg.com, upload.wikimedia.org, www.w3.org

Source & flagged code

6 flagged · loading source
bin/acptoapi.jsView file
matchType = previous_version_dangerous_delta matchedPackage = acptoapi@1.0.126 matchedIdentity = npm:YWNwdG9hcGk:1.0.126 similarity = 0.851 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version.

bin/acptoapi.jsView on unpkg
64(async () => { L65: const { execSync } = require('child_process'); L66: const opts = { stdio: 'inherit', windowsHide: true };
High
Child Process

Package source references child process execution.

bin/acptoapi.jsView on unpkg · L64
64(async () => { L65: const { execSync } = require('child_process'); L66: const opts = { stdio: 'inherit', windowsHide: true }; ... L74: console.log(`[acptoapi] latest on npm: ${latest}`); L75: console.log('[acptoapi] next invocation of `bunx acptoapi@latest` or `npx -y acptoapi@latest` will fetch fresh.'); L76: process.exit(0);
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

bin/acptoapi.jsView on unpkg · L64
test.jsView file
15L16: const assert = require('assert'); L17: const http = require('http');
Medium
Dynamic Require

Package source references dynamic require/import behavior.

test.jsView on unpkg · L15
index.jsView file
121async function runClaude(opts = {}) { L122: const { spawn } = require('child_process'); L123: const http = require('http'); L124: const { execSync } = require('child_process'); ... L126: const baseUrl = `http://127.0.0.1:${port}`; L127: const apiKey = process.env.ACPTOAPI_API_KEY || 'theultimateflex'; L128:
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

index.jsView on unpkg · L121
install-acp-agents.ps1View file
path = install-acp-agents.ps1 kind = build_helper sizeBytes = 2879 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

install-acp-agents.ps1View on unpkg

Findings

1 Critical4 High5 Medium3 Low
CriticalPrevious Version Dangerous Deltabin/acptoapi.js
HighChild Processbin/acptoapi.js
HighShell
HighSame File Env Network Executionindex.js
HighRuntime Package Installbin/acptoapi.js
MediumDynamic Requiretest.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperinstall-acp-agents.ps1
MediumStructural Risk Force Deep Review
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings