registry  /  byob-cli  /  0.2.29

byob-cli@0.2.29

Codex connector for BYOB projects, backed by an Agent MCP stdio bridge.

Static Scan Results

scanned 7d ago · by rust-scanner

Static analysis flagged 13 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 62.9 KB of source, external domains: air.api.byob.studio, byob.studio, prim.api.byob.studio

Source & flagged code

5 flagged · loading source
bin/byob.jsView file
3import { createInterface } from "node:readline"; L4: import { spawn, spawnSync } from "node:child_process"; L5: import { chmodSync, copyFileSync, existsSync, mkdirSync, readdirSync, readFileSync, statSync, writeFileSync } from "node:fs";
High
Child Process

Package source references child process execution.

bin/byob.jsView on unpkg · L3
3import { createInterface } from "node:readline"; L4: import { spawn, spawnSync } from "node:child_process"; L5: import { chmodSync, copyFileSync, existsSync, mkdirSync, readdirSync, readFileSync, statSync, writeFileSync } from "node:fs"; L6: import { createHash, randomBytes } from "node:crypto"; L7: import net from "node:net"; L8: import tls from "node:tls"; ... L15: const PROD_PRIM_URL = "https://prim.api.byob.studio"; L16: const DEFAULT_AIR_URL = process.env.BYOB_AIR_URL || PROD_AIR_URL; L17: const DEFAULT_PRIM_URL = process.env.BYOB_PRIM_URL || PROD_PRIM_URL;
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

bin/byob.jsView on unpkg · L3
465} L466: return `${logo}\n\nBuild Your Own Buzz\nhttps://byob.studio\n`; L467: } ... L469: function printWizardStep(message) { L470: process.stdout.write(`\n> ${message}\n`); L471: } ... L473: function commandExists(command) { L474: const result = spawnSync( L475: process.platform === "win32" ? "where" : "command",
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

bin/byob.jsView on unpkg · L465
3import { createInterface } from "node:readline"; L4: import { spawn, spawnSync } from "node:child_process"; L5: import { chmodSync, copyFileSync, existsSync, mkdirSync, readdirSync, readFileSync, statSync, writeFileSync } from "node:fs"; L6: import { createHash, randomBytes } from "node:crypto"; L7: import net from "node:net"; L8: import tls from "node:tls"; L9: import dns from "node:dns/promises"; L10: import { dirname, join } from "node:path"; ... L15: const PROD_PRIM_URL = "https://prim.api.byob.studio"; L16: const DEFAULT_AIR_URL = process.env.BYOB_AIR_URL || PROD_AIR_URL; L17: const DEFAULT_PRIM_URL = process.env.BYOB_PRIM_URL || PROD_PRIM_URL; L18: const PACKAGE_ROOT = dirname(dirname(fileURLToPath(import.meta.url)));
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

bin/byob.jsView on unpkg · L3
3import { createInterface } from "node:readline"; L4: import { spawn, spawnSync } from "node:child_process"; L5: import { chmodSync, copyFileSync, existsSync, mkdirSync, readdirSync, readFileSync, statSync, writeFileSync } from "node:fs"; L6: import { createHash, randomBytes } from "node:crypto"; L7: import net from "node:net"; L8: import tls from "node:tls"; L9: import dns from "node:dns/promises"; L10: import { dirname, join } from "node:path"; ... L15: const PROD_PRIM_URL = "https://prim.api.byob.studio"; L16: const DEFAULT_AIR_URL = process.env.BYOB_AIR_URL || PROD_AIR_URL; L17: const DEFAULT_PRIM_URL = process.env.BYOB_PRIM_URL || PROD_PRIM_URL; L18: const PACKAGE_ROOT = dirname(dirname(fileURLToPath(import.meta.url)));
Low
Weak Crypto

Package source references weak cryptographic algorithms.

bin/byob.jsView on unpkg · L3

Findings

5 High3 Medium5 Low
HighChild Processbin/byob.js
HighShell
HighSame File Env Network Executionbin/byob.js
HighCommand Output Exfiltrationbin/byob.js
HighSandbox Evasion Gated Capabilitybin/byob.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowWeak Cryptobin/byob.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings