registry  /  acptoapi  /  1.0.148

acptoapi@1.0.148

⚠ Under review

Anthropic SDK to multi-provider streaming bridge - converts Anthropic message format and tool calls to Gemini, OpenAI-compatible APIs

Static Scan Results

scanned 7d ago · by rust-scanner

Static analysis flagged 13 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 76 file(s), 522 KB of source, external domains: 127.0.0.1, 247420.xyz, aionlabs.ai, aistudio.google.com, api.aionlabs.ai, api.anthropic.com, api.cerebras.ai, api.cloudflare.com, api.cohere.com, api.deepseek.com, api.elevenlabs.io, api.example.com, api.fireworks.ai, api.groq.com, api.llama-api.com, api.mistral.ai, api.openai.com, api.opencode.ai, api.perplexity.ai, api.replicate.com, api.sambanova.ai, api.together.ai, api.together.xyz, api.voyageai.com, api.x.ai, api.z.ai, build.nvidia.com, chatjimmy.ai, cloud.cerebras.ai, cloud.sambanova.ai, codestral.mistral.ai, console.anthropic.com, console.aws.amazon.com, console.groq.com, console.mistral.ai, console.x.ai, dash.cloudflare.com, dashboard.cohere.com, dashscope.aliyuncs.com, dashscope.console.aliyun.com, example.com, fireworks.ai, generativelanguage.googleapis.com, github.com, integrate.api.nvidia.com, my-host.com, ollama.com, opencode.ai, openrouter.ai, platform.deepseek.com

Source & flagged code

6 flagged · loading source
bin/acptoapi.jsView file
matchType = previous_version_dangerous_delta matchedPackage = acptoapi@1.0.126 matchedIdentity = npm:YWNwdG9hcGk:1.0.126 similarity = 0.770 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

bin/acptoapi.jsView on unpkg
123(async () => { L124: const { execSync } = require('child_process'); L125: const opts = { stdio: 'inherit', windowsHide: true };
High
Child Process

Package source references child process execution.

bin/acptoapi.jsView on unpkg · L123
123(async () => { L124: const { execSync } = require('child_process'); L125: const opts = { stdio: 'inherit', windowsHide: true }; ... L133: console.log(`[acptoapi] latest on npm: ${latest}`); L134: console.log('[acptoapi] next invocation of `bunx acptoapi@latest` or `npx -y acptoapi@latest` will fetch fresh.'); L135: process.exit(0);
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

bin/acptoapi.jsView on unpkg · L123
test.jsView file
15L16: const assert = require('assert'); L17: const http = require('http');
Medium
Dynamic Require

Package source references dynamic require/import behavior.

test.jsView on unpkg · L15
index.jsView file
122async function runClaude(opts = {}) { L123: const { spawn } = require('child_process'); L124: const http = require('http'); L125: const { execSync } = require('child_process'); ... L127: const baseUrl = `http://127.0.0.1:${port}`; L128: const apiKey = process.env.ACPTOAPI_API_KEY || 'theultimateflex'; L129:
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

index.jsView on unpkg · L122
install-acp-agents.ps1View file
path = install-acp-agents.ps1 kind = build_helper sizeBytes = 2879 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

install-acp-agents.ps1View on unpkg

Findings

1 Critical4 High5 Medium3 Low
CriticalPrevious Version Dangerous Deltabin/acptoapi.js
HighChild Processbin/acptoapi.js
HighShell
HighSame File Env Network Executionindex.js
HighRuntime Package Installbin/acptoapi.js
MediumDynamic Requiretest.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperinstall-acp-agents.ps1
MediumStructural Risk Force Deep Review
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings