registry  /  byob-cli  /  0.2.32

byob-cli@0.2.32

Codex connector for BYOB projects, backed by an Agent MCP stdio bridge.

Static Scan Results

scanned 3h ago · by rust-scanner

Static analysis flagged 14 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 82.4 KB of source, external domains: air.api.byob.studio, byob.studio, prim.api.byob.studio

Source & flagged code

6 flagged · loading source
bin/byob.jsView file
3import { createInterface } from "node:readline"; L4: import { spawn, spawnSync } from "node:child_process"; L5: import { chmodSync, copyFileSync, existsSync, mkdirSync, readdirSync, readFileSync, statSync, writeFileSync } from "node:fs";
High
Child Process

Package source references child process execution.

bin/byob.jsView on unpkg · L3
3import { createInterface } from "node:readline"; L4: import { spawn, spawnSync } from "node:child_process"; L5: import { chmodSync, copyFileSync, existsSync, mkdirSync, readdirSync, readFileSync, statSync, writeFileSync } from "node:fs"; L6: import { createHash, randomBytes } from "node:crypto"; L7: import net from "node:net"; L8: import tls from "node:tls"; ... L15: const PROD_PRIM_URL = "https://prim.api.byob.studio"; L16: const DEFAULT_AIR_URL = process.env.BYOB_AIR_URL || PROD_AIR_URL; L17: const DEFAULT_PRIM_URL = process.env.BYOB_PRIM_URL || PROD_PRIM_URL;
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

bin/byob.jsView on unpkg · L3
696} L697: return `${logo}\n\nBuild Your Own Buzz\nhttps://byob.studio\n`; L698: } ... L700: function printWizardStep(message) { L701: process.stdout.write(`\n> ${message}\n`); L702: } ... L704: function commandExists(command) { L705: const result = spawnSync( L706: process.platform === "win32" ? "where" : "command",
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

bin/byob.jsView on unpkg · L696
3import { createInterface } from "node:readline"; L4: import { spawn, spawnSync } from "node:child_process"; L5: import { chmodSync, copyFileSync, existsSync, mkdirSync, readdirSync, readFileSync, statSync, writeFileSync } from "node:fs"; L6: import { createHash, randomBytes } from "node:crypto"; L7: import net from "node:net"; L8: import tls from "node:tls"; L9: import dns from "node:dns/promises"; L10: import { dirname, join } from "node:path"; ... L15: const PROD_PRIM_URL = "https://prim.api.byob.studio"; L16: const DEFAULT_AIR_URL = process.env.BYOB_AIR_URL || PROD_AIR_URL; L17: const DEFAULT_PRIM_URL = process.env.BYOB_PRIM_URL || PROD_PRIM_URL; L18: const PACKAGE_ROOT = dirname(dirname(fileURLToPath(import.meta.url)));
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

bin/byob.jsView on unpkg · L3
1845'bun --version 2>/dev/null | sed "s/^/bun_version=/" || true', L1846: "if [ -f package.json ] && command -v node >/dev/null 2>&1; then node -e 'const p=require(\"./package.json\"); console.log(\"package_manager=\"+(p.packageManager||\"\")); console.l... L1847: ].join(" && ");
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/byob.jsView on unpkg · L1845
3import { createInterface } from "node:readline"; L4: import { spawn, spawnSync } from "node:child_process"; L5: import { chmodSync, copyFileSync, existsSync, mkdirSync, readdirSync, readFileSync, statSync, writeFileSync } from "node:fs"; L6: import { createHash, randomBytes } from "node:crypto"; L7: import net from "node:net"; L8: import tls from "node:tls"; L9: import dns from "node:dns/promises"; L10: import { dirname, join } from "node:path"; ... L15: const PROD_PRIM_URL = "https://prim.api.byob.studio"; L16: const DEFAULT_AIR_URL = process.env.BYOB_AIR_URL || PROD_AIR_URL; L17: const DEFAULT_PRIM_URL = process.env.BYOB_PRIM_URL || PROD_PRIM_URL; L18: const PACKAGE_ROOT = dirname(dirname(fileURLToPath(import.meta.url)));
Low
Weak Crypto

Package source references weak cryptographic algorithms.

bin/byob.jsView on unpkg · L3

Findings

5 High4 Medium5 Low
HighChild Processbin/byob.js
HighShell
HighSame File Env Network Executionbin/byob.js
HighCommand Output Exfiltrationbin/byob.js
HighSandbox Evasion Gated Capabilitybin/byob.js
MediumDynamic Requirebin/byob.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowWeak Cryptobin/byob.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings