registry  /  autodev-cli  /  1.4.9

autodev-cli@1.4.9

AutoAIDev CLI — autonomous AI task loop with VS Code / Cursor launcher

Static Scan Results

scanned 5h ago · by rust-scanner

Static analysis flagged 13 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 84 file(s), 842 KB of source, external domains: api.github.com, astral.sh, discord.com, github.com

Source & flagged code

5 flagged · loading source
out/providers/opencodeSdkProvider.jsView file
102} L103: // Use new Function() to prevent esbuild from transforming import(path) to require(path). L104: // require() cannot load ESM files; a native ESM import() is required.
Low
Eval

Package source references a known benign dynamic code generation pattern.

out/providers/opencodeSdkProvider.jsView on unpkg · L102
bin/autodev-ping.jsView file
5L6: const fs = require('fs'); L7: const path = require('path');
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/autodev-ping.jsView on unpkg · L5
out/rdp/bridge.jsView file
57exports.RdpBridge = void 0; L58: const net = __importStar(require("net")); L59: const crypto = __importStar(require("crypto")); ... L73: // X.224 Data TPDU: LI(1)=2, code(1)=0xF0, EOT(1)=0x80 L74: const header = Buffer.from([0x02, constants_1.X224_TPDU_DATA, 0x80]); L75: return Buffer.concat([header, payload]); ... L185: } L186: // ConnectGCCPDU body: choice(1) + conference-name(5) + optFlags(2) + "Duca"(4) L187: // + perLen(clientData) + clientData
Low
Weak Crypto

Package source references weak cryptographic algorithms.

out/rdp/bridge.jsView on unpkg · L57
out/providers/copilotSdkProvider.jsView file
66function _copilotNpmRoot() { L67: if (process.platform === 'win32') { L68: return path.join(os.homedir(), 'AppData', 'Roaming', 'npm', 'node_modules', '@github', 'copilot'); L69: } ... L90: async function _fetchCopilotUser(token) { L91: const res = await fetch('https://api.github.com/copilot_internal/user', { L92: headers: { 'Authorization': 'token ' + token, 'User-Agent': 'GitHubCopilotCLI/1.0' }, ... L96: } L97: return res.json(); L98: } ... L105: const envToken = _settingsToken || L106: process.env['COPILOT_GITHUB_TOKEN'] ||
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

out/providers/copilotSdkProvider.jsView on unpkg · L66
out/agentBackup/upload.jsView file
matchType = previous_version_dangerous_delta matchedPackage = autodev-cli@1.4.8 matchedIdentity = npm:YXV0b2Rldi1jbGk:1.4.8 similarity = 0.976 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

out/agentBackup/upload.jsView on unpkg

Findings

2 High4 Medium7 Low
HighSandbox Evasion Gated Capabilityout/providers/copilotSdkProvider.js
HighPrevious Version Dangerous Deltaout/agentBackup/upload.js
MediumDynamic Requirebin/autodev-ping.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvalout/providers/opencodeSdkProvider.js
LowWeak Cryptoout/rdp/bridge.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings