registry  /  appostle-installer  /  0.0.101

appostle-installer@0.0.101

⚠ Under review

One package for everything Appostle needs on a user's machine: daemon, appostle CLI, agent provider CLIs (Claude Code, Codex, OpenCode), and pairing flow with appostle.app.

Static Scan Results

scanned 2d ago · by rust-scanner

Static analysis flagged 14 finding(s) at 86.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessEnvironmentVarsEvalFilesystemShell
Supply chain
HighEntropyStringsObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 4 file(s), 902 KB of source, external domains: 127.0.0.1, appostle.app, deb.nodesource.com, developer.mozilla.org, git.io, nodejs.org, stackoverflow.com, www.apple.com
Oversized source lightweight scan
dist/appostle.js7.70 MB file, sampled 256 KB
FilesystemChildProcessEnvironmentVarsEvalShellHighEntropyStringsUrlStringsappostle.app
dist/worker.js8.96 MB file, sampled 256 KB
FilesystemChildProcessEnvironmentVarsEvalShellObfuscatedHighEntropyStringsUrlStrings127.0.0.1appostle.appdeveloper.mozilla.orggit.iostackoverflow.com

Source & flagged code

6 flagged · loading source
dist/appostle-installer.jsView file
227// ../../node_modules/execa/lib/methods/template.js L228: import { ChildProcess } from "node:child_process"; L229: var isTemplateString, parseTemplates, parseTemplate, splitByWhitespaces, DELIMITERS, ESCAPE_LENGTH, concatTokens, parseExpression, getSubprocessResult;
High
Child Process

Package source references child process execution.

dist/appostle-installer.jsView on unpkg · L227
128L129: // ../../node_modules/execa/lib/arguments/file-url.js L130: import { fileURLToPath } from "node:url";
High
Shell

Package source references shell execution.

dist/appostle-installer.jsView on unpkg · L128
110APPOSTLE_RELAY_ENDPOINT = "pair.appostle.app:443"; L111: APPOSTLE_WEB_URL = "https://appostle.app"; L112: INSTALLER_PACKAGE = "appostle-installer"; ... L128: L129: // ../../node_modules/execa/lib/arguments/file-url.js L130: import { fileURLToPath } from "node:url"; ... L176: import { StringDecoder } from "node:string_decoder"; L177: var objectToString, isArrayBuffer, isUint8Array, bufferToUint8Array, textEncoder, stringToUint8Array, textDecoder, uint8ArrayToString, joinToString, uint8ArraysToStrings, joinToUin... L178: var init_uint_array = __esm({ ... L196: const decoder = new StringDecoder(encoding); L197: const strings = uint8ArraysOrStrings.map((uint8ArrayOrString) => typeof uint8ArrayOrString === "string" ? stringToUint8Array(uint8ArrayOrString) : uint8ArrayOrString).map((uint8Arr... L198: const finalString = decoder.end();
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/appostle-installer.jsView on unpkg · L110
dist/appostle.jsView file
context = "HEAD") {\n throw new Error("Base branch cannot be HEAD");\n }\n if (baseRefName.includes("..") || baseRefName.includes("@{")) {\n throw new Error(`Invalid base branch: ${baseRefName}`);\n }\n if (!/^[0-9A-Za-z._/-]+$/.test(baseRefName)) {\n throw new Error(`Invalid base branch: ${baseRefName}`);\n }\n const metadataPath = getAppostleWorktreeMetadataPath(worktreeRoot);\n mkdirSync(join(getGitDirForWorktreeRoot(worktreeRoot), "appostle"), { recursive: true });\n const metadata = { version: 1, baseRefName };\n writeFileSync(metadataPath, `${JSON.stringify(metadata, null, 2)}\n`, "utf8");\n}\nfunction [redacted](worktreeRoot, options) {\n if (!Number.isInteger(options.worktreePort) || options.worktreePort <= 0) {\n throw new Error(`Invalid worktree runtime port: ${options.worktreePort}`);\n }\n const current = readAppostleWorktreeMetadata(worktreeRoot);\n if (!current) {\n throw new Error("Cannot persist worktree runtime metadata: missing base metadata");\n }\n const metadataPath = getAppostleWo
Critical
Encrypted Payload Temp Execution

Source decrypts an embedded payload, writes it to disk, and executes it through a child process.

dist/appostle.jsView on unpkg
dist/shell-integration/zsh/appostle-integration.zshView file
path = dist/shell-integration/zsh/appostle-integration.zsh kind = build_helper sizeBytes = 351 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

dist/shell-integration/zsh/appostle-integration.zshView on unpkg
dist/worker.jsView file
path = dist/worker.js kind = oversized_source_file sizeBytes = 9393440 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/worker.jsView on unpkg

Findings

1 Critical3 High4 Medium6 Low
CriticalEncrypted Payload Temp Executiondist/appostle.js
HighChild Processdist/appostle-installer.js
HighShelldist/appostle-installer.js
HighOversized Source Filedist/worker.js
MediumEnvironment Vars
MediumInstall Persistencedist/appostle-installer.js
MediumShips Build Helperdist/shell-integration/zsh/appostle-integration.zsh
MediumStructural Risk Force Deep Review
LowScripts Present
LowEval
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings