registry  /  castclaw-darwin-arm64  /  1.3.0

castclaw-darwin-arm64@1.3.0

⚠ Under review

CastClaw TUI agent CLI (darwin/arm64)

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 12 finding(s) at 86.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessDynamicRequireFilesystemNativeBindingsNetworkWebSocket
Supply chain
HighEntropyStringsMinifiedObfuscatedTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 472 file(s), 13.2 MB of source, external domains: api.meuprovedor.com, api.minudbyder.dk, api.miproveedor.com, api.mojdostawca.com, api.mojprovajder.com, api.monfournisseur.com, api.myprovider.com, api.saglayicim.com, github.com, json-schema.org, raw.githubusercontent.com, www.w3.org

Source & flagged code

5 flagged · loading source
bin/app/assets/codeql-DsOJ9woJ.jsView file
1const e=Object.freeze(JSON.parse('{"displayName":"CodeQL","fileTypes":["ql","qll"],"name":"codeql","patterns":[{"include":"#module-member"}],"repository":{"abstract":{"match":"\\\\...
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/app/assets/codeql-DsOJ9woJ.jsView on unpkg · L1
bin/app/assets/session-BQ96t6Tt.jsView file
17contains invisible/control Unicode U+202A (left-to-right embedding) `}),$.preventDefault();return}if($.key==="Enter"&&He($))return;const q=$.ctrlKey&&!$.metaKey&&!$.altKey&&!$.shiftKey;if(Z.popover){if($.key==="Tab"){fn(),$.preventDefault();return}const Q=$.key==="ArrowUp"||$.key==="ArrowDown"||$.key==="Ent
Critical
Trojan Source Unicode

Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

bin/app/assets/session-BQ96t6Tt.jsView on unpkg · L17
bin/castclawView file
path = bin/castclaw kind = native_binary sizeBytes = 100618402 magicHex = [redacted]
Medium
Ships Native Binary

Package ships native binary artifacts.

bin/castclawView on unpkg
bin/python/src/castclaw_ml/runner.pyView file
path = bin/python/src/castclaw_ml/runner.py kind = build_helper sizeBytes = 70580 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

bin/python/src/castclaw_ml/runner.pyView on unpkg
bin/app/assets/KaTeX_Script-Regular-D3wIWfF6.woff2View file
path = bin/app/assets/KaTeX_Script-Regular-D3wIWfF6.woff2 kind = high_entropy_blob sizeBytes = 9644 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

bin/app/assets/KaTeX_Script-Regular-D3wIWfF6.woff2View on unpkg

Findings

1 Critical1 High5 Medium5 Low
CriticalTrojan Source Unicodebin/app/assets/session-BQ96t6Tt.js
HighShips High Entropy Blobbin/app/assets/KaTeX_Script-Regular-D3wIWfF6.woff2
MediumDynamic Requirebin/app/assets/codeql-DsOJ9woJ.js
MediumNetwork
MediumShips Native Binarybin/castclaw
MediumShips Build Helperbin/python/src/castclaw_ml/runner.py
MediumStructural Risk Force Deep Review
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings