registry  /  claude-basecamp  /  0.4.0

claude-basecamp@0.4.0

⚠ Under review

Zero-config localhost dashboard for Claude Code — sessions, agents, usage, tasks, and connector management across Desktop, Terminal, and API.

Static Scan Results

scanned 4h ago · by rust-scanner

Static analysis flagged 9 finding(s) at 86.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 20 file(s), 139 KB of source, external domains: 127.0.0.1, api.telegram.org, discord.com, hooks.slack.com

Source & flagged code

2 flagged · loading source
public/app.jsView file
86async function api(path, options = {}) { L87: const res = await fetch(path, { L88: ...options, L89: headers: options.body ? { 'Content-Type': 'application/json' } : {}, L90: body: options.body ? JSON.stringify(options.body) : undefined, L91: }) L92: const data = await res.json().catch(() => ({})) L93: if (!res.ok) throw new Error(data.error || res.statusText) ... L886: const hookUrl = `${location.origin}/api/hooks/${el.dataset.hook}` L887: await navigator.clipboard.writeText(`curl -X POST ${hookUrl}`) L888: el.textContent = 'Copied'
Critical
Credential Exfiltration

Source appears to send environment or credential material to an external endpoint.

public/app.jsView on unpkg · L86
src/lib/notify.jsView file
1import { spawn } from 'node:child_process' L2: import { getSettings } from './settings.js' ... L6: function post(url, body) { L7: return fetch(url, { L8: method: 'POST', L9: headers: { 'Content-Type': 'application/json' }, L10: body: JSON.stringify(body), L11: signal: AbortSignal.timeout(FETCH_TIMEOUT_MS), ... L51: } L52: if (settings.macosNotifications && process.platform === 'darwin') { L53: attempts.push(
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

src/lib/notify.jsView on unpkg · L1

Findings

1 Critical1 High3 Medium4 Low
CriticalCredential Exfiltrationpublic/app.js
HighSandbox Evasion Gated Capabilitysrc/lib/notify.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings