registry  /  claude-code-session-manager  /  0.35.0

claude-code-session-manager@0.35.0

Local cockpit for the Claude Code CLI — multi-tab terminal, full config surface, scheduler, voice dictation, and live observability.

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 20 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedObfuscatedTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 160 file(s), 5.01 MB of source, external domains: 127.0.0.1, api.anthropic.com, bilko.run, bugzilla.mozilla.org, cdn.jsdelivr.net, claude.ai, code.google.com, developer.mozilla.org, developers.google.com, drafts.csswg.org, en.wikipedia.org, fonts.googleapis.com, fonts.gstatic.com, gist.github.com, github.com, googlechrome.github.io, hacks.mozilla.org, help.yahoo.com, html.spec.whatwg.org, huggingface.co, json-schema.org, json.schemastore.org, prosemirror.net, r12a.github.io, reactjs.org, registry.npmjs.org, sass-lang.com, schema.org, stackoverflow.com, support.google.com, tools.ietf.org, web.dev, wiki.whatwg.org, www.bing.com, www.dmoz.org, www.iana.org, www.ietf.org, www.schemastore.org, www.w3.org, www.whatwg.org
Oversized source lightweight scan
dist/assets/index-zepGuf8m.js2.29 MB file, sampled 256 KB
NetworkChildProcessHighEntropyStringsMinifiedUrlStringsjson.schemastore.orgreactjs.orgwww.w3.org
dist/assets/monaco-editor-BW5C4Iv1.js3.63 MB file, sampled 256 KB
ChildProcessShellObfuscatedHighEntropyStringsMinified
dist/assets/ts.worker-59MjiAqk.js6.70 MB file, sampled 256 KB
FilesystemNetworkChildProcessShell

Source & flagged code

10 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.cjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.cjs
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
dist/assets/whisperWorker-Dbia1OpC.jsView file
6${N} L7: }`,m=new Function(Object.keys(F),N)(...Object.values(F)),N=`methodCaller<(${b.map(j=>j.name)}) => ${g.name}>`,tN(Object.defineProperty(m,"name",{value:N}))}function oN(u,f){return ... L8: `),r)}p.validationMode&&Ar(o,"validationMode",p.validationMode,r)}let _=Se().webgpuRegisterDevice(h);if(_){let[p,w,v]=_;Ar(o,"deviceId",p.toString(),r),Ar(o,"webgpuInstance",w.toSt...
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/assets/whisperWorker-Dbia1OpC.jsView on unpkg · L6
bin/cli.cjsView file
5*/ L6: const { spawn } = require('node:child_process'); L7: const path = require('node:path');
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/cli.cjsView on unpkg · L5
src/main/lib/definitionOfDone.cjsView file
13const path = require('node:path'); L14: const { spawn, spawnSync } = require('node:child_process'); L15: const { splitFrontmatter } = require('./prdFrontmatter.cjs'); ... L23: const RUNS_DIR = path.join( L24: os.homedir(), L25: '.claude', 'session-manager', 'scheduled-plans', 'runs' ... L266: clearTimeout(escalate); L267: const exitCode = typeof code === 'number' ? code : -1; L268: resolve({
Low
Weak Crypto

Package source references weak cryptographic algorithms.

src/main/lib/definitionOfDone.cjsView on unpkg · L13
src/main/index.cjsView file
1Manifest entrypoint (manifest.main) carries capability families absent from dist/build output: environment+network, execution+network L1: const { app, BrowserWindow, ipcMain, dialog, Menu, session, systemPreferences, globalShortcut, shell, clipboard, powerSaveBlocker, protocol } = require('electron'); L2: const { spawn, execFile, execFileSync } = require('node:child_process'); L3: const path = require('node:path'); ... L67: function startSystemdInhibit() { L68: if (process.platform !== 'linux') return; L69: // Idempotent: if a live child already holds the lock, don't spawn a second. L70: if (systemdInhibitChild && systemdInhibitChild.exitCode === null && !systemdInhibitChild.killed) return; L71: try { ... L139: L140: const REBOOT_LOG = path.join(os.homedir(), '.claude', 'session-manager-reboot.log'); L141: ... L201: encoding: 'utf8',
High
Entrypoint Build Divergence

Manifest entrypoint contains risky behavior absent from dist/build output.

src/main/index.cjsView on unpkg · L1
dist/assets/ort-wasm-simd-threaded.asyncify-DMmc6YqF.wasmView file
path = dist/assets/ort-wasm-simd-threaded.asyncify-DMmc6YqF.wasm kind = wasm_module sizeBytes = 23567050 magicHex = [redacted]
Medium
Ships Wasm Module

Package ships WebAssembly modules.

dist/assets/ort-wasm-simd-threaded.asyncify-DMmc6YqF.wasmView on unpkg
dist/vad/silero_vad_v5.onnxView file
path = dist/vad/silero_vad_v5.onnx kind = high_entropy_blob sizeBytes = 2327524 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

dist/vad/silero_vad_v5.onnxView on unpkg
dist/assets/monaco-editor-BW5C4Iv1.jsView file
path = dist/assets/monaco-editor-BW5C4Iv1.js kind = oversized_source_file sizeBytes = 3809240 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/assets/monaco-editor-BW5C4Iv1.jsView on unpkg
src/main/chatRunner.cjsView file
matchType = previous_version_dangerous_delta matchedPackage = claude-code-session-manager@0.34.0 matchedIdentity = npm:[redacted]:0.34.0 similarity = 0.983 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

src/main/chatRunner.cjsView on unpkg

Findings

5 High6 Medium9 Low
HighInstall Time Lifecycle Scriptspackage.json
HighEntrypoint Build Divergencesrc/main/index.cjs
HighShips High Entropy Blobdist/vad/silero_vad_v5.onnx
HighOversized Source Filedist/assets/monaco-editor-BW5C4Iv1.js
HighPrevious Version Dangerous Deltasrc/main/chatRunner.cjs
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requirebin/cli.cjs
MediumNetwork
MediumEnvironment Vars
MediumShips Wasm Moduledist/assets/ort-wasm-simd-threaded.asyncify-DMmc6YqF.wasm
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvaldist/assets/whisperWorker-Dbia1OpC.js
LowWeak Cryptosrc/main/lib/definitionOfDone.cjs
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings