registry  /  claude-flow  /  3.21.1

claude-flow@3.21.1

⚠ Under review

Ruflo - Enterprise AI agent orchestration for Claude Code. Deploy 60+ specialized agents in coordinated swarms with self-learning, fault-tolerant consensus, vector memory, and MCP integration

Static Scan Results

scanned 9h ago · by rust-scanner

Static analysis flagged 36 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 374 file(s), 6.32 MB of source, external domains: agentbbs.local, aistudio.google.com, api.anthropic.com, api.npmjs.org, api.openai.com, api.pinata.cloud, api.web3.storage, claude.com, cli.github.com, cloud.google.com, cloudflare-ipfs.com, datasets-server.huggingface.co, dweb.link, gateway.pinata.cloud, generativelanguage.googleapis.com, git-scm.com, github.com, html.duckduckgo.com, hub.docker.com, huggingface.co, ipfs.io, nodejs.org, ollama.com, openrouter.ai, pinata.cloud, raw.githubusercontent.com, registry.npmjs.org, sql.js.org, storage.googleapis.com, us-central1-claude-flow.cloudfunctions.net, w3s.link, web3.storage, www.apple.com

Source & flagged code

29 flagged · loading source
v3/@claude-flow/guidance/dist/manifest-validator.jsView file
702patternName = private_key_rsa severity = critical line = 702 matchedText = params: ...' },
Critical
Critical Secret

Package contains a critical-looking secret pattern.

v3/@claude-flow/guidance/dist/manifest-validator.jsView on unpkg · L702
702patternName = private_key_rsa severity = critical line = 702 matchedText = params: ...' },
Critical
Secret Pattern

RSA private key in v3/@claude-flow/guidance/dist/manifest-validator.js

v3/@claude-flow/guidance/dist/manifest-validator.jsView on unpkg · L702
v3/@claude-flow/shared/dist/core/orchestrator/lifecycle-manager.jsView file
55} L56: async spawn(config) { L57: // Validate capacity
High
Child Process

Package source references child process execution.

v3/@claude-flow/shared/dist/core/orchestrator/lifecycle-manager.jsView on unpkg · L55
v3/@claude-flow/cli/dist/src/init/executor.jsView file
matchType = previous_version_dangerous_delta matchedPackage = claude-flow@3.16.3 matchedIdentity = npm:Y2xhdWRlLWZsb3c:3.16.3 similarity = 0.833 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

v3/@claude-flow/cli/dist/src/init/executor.jsView on unpkg
245// Platform-specific command wrappers L246: // Windows: Use PowerShell-compatible commands L247: // Mac/Linux: Use bash-compatible commands with 2>/dev/null
High
Shell

Package source references shell execution.

v3/@claude-flow/cli/dist/src/init/executor.jsView on unpkg · L245
v3/@claude-flow/guidance/dist/analyzer.jsView file
1344patternName = generic_password severity = medium line = 1344 matchedText = { type: ...' },
Medium
Secret Pattern

Hardcoded password in v3/@claude-flow/guidance/dist/analyzer.js

v3/@claude-flow/guidance/dist/analyzer.jsView on unpkg · L1344
2127patternName = generic_password severity = medium line = 2127 matchedText = { type: ...' },
Medium
Secret Pattern

Hardcoded password in v3/@claude-flow/guidance/dist/analyzer.js

v3/@claude-flow/guidance/dist/analyzer.jsView on unpkg · L2127
2103{ type: 'must-match-pattern', value: 'escape|validate|regex|filter', severity: 'major' }, L2104: { type: 'must-not-contain', value: 'eval(', severity: 'critical' }, L2105: ],
Low
Eval

Package source references a known benign dynamic code generation pattern.

v3/@claude-flow/guidance/dist/analyzer.jsView on unpkg · L2103
bin/cli.jsView file
10const cliPath = join(__dirname, '..', 'v3', '@claude-flow', 'cli', 'bin', 'cli.js'); L11: await import(pathToFileURL(cliPath).href);
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/cli.jsView on unpkg · L10
v3/@claude-flow/cli/dist/src/init/statusline-generator.jsView file
149? '"' + process.execPath + '" "' + cliBin + '" hooks statusline --json 2>/dev/null' L150: : 'npx --prefer-offline @claude-flow/cli hooks statusline --json 2>/dev/null'; L151: const raw = execSync( L152: cmd,
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

v3/@claude-flow/cli/dist/src/init/statusline-generator.jsView on unpkg · L149
47const path = require('path'); L48: const { execSync } = require('child_process'); L49: const os = require('os'); ... L60: // RUFLO_STATUSLINE_HIDE_COST 1/true/yes/on removes the segment entirely. L61: costSymbol: process.env.RUFLO_STATUSLINE_COST_SYMBOL ?? '$', L62: hideCost: /^(1|true|yes|on)$/i.test(process.env.RUFLO_STATUSLINE_HIDE_COST || ''), ... L64: L65: const CWD = process.cwd(); L66: ... L116: if (fs.existsSync(CACHE_FILE)) { L117: const raw = JSON.parse(fs.readFileSync(CACHE_FILE, 'utf-8')); L118: if (raw && raw._ts && (Date.now() - raw._ts) < CACHE_TTL_MS) {
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

v3/@claude-flow/cli/dist/src/init/statusline-generator.jsView on unpkg · L47
v3/@claude-flow/cli/dist/src/benchmarks/gaia-tools/grounded_query.js#virtual:normalized:round1View file
49// 1. Environment variable (fastest path, used in test mocks and CI) L50: const envKey = process.env['GOOGLE_AI_API_KEY']; L51: if (envKey) ... L54: try { L55: const { execSync } = await import('node:child_process'); L56: const key = execSync('gcloud secrets versions access latest --secret=GOOGLE_AI_API_KEY --project=ruv-dev 2>/dev/null', { encoding: 'utf-8', timeout: 5_000 }).trim(); ... L62: } L63: throw new Error("grounded_query: No Google AI API key found.\nSet GOOGLE_AI_API_KEY env var, or ensure `gcloud` is authenticated and\nthe secret GOOGLE_AI_API_KEY exists in GCP pro... L64: }
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

v3/@claude-flow/cli/dist/src/benchmarks/gaia-tools/grounded_query.js#virtual:normalized:round1View on unpkg · L49
.claude/statusline-command.shView file
path = .claude/statusline-command.sh kind = payload_in_excluded_dir sizeBytes = 6239 magicHex = [redacted]
High
Payload In Excluded Dir

Package hides binary, compressed, or executable-looking payloads in test/fixture/hidden paths.

.claude/statusline-command.shView on unpkg
path = .claude/statusline-command.sh kind = build_helper sizeBytes = 6239 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

.claude/statusline-command.shView on unpkg
.claude/agents/core/reviewer.mdView file
67patternName = generic_password severity = medium line = 67 matchedText = console....rd);
Medium
Secret Pattern

Hardcoded password in .claude/agents/core/reviewer.md

.claude/agents/core/reviewer.mdView on unpkg · L67
.claude/agents/flow-nexus/authentication.mdView file
22patternName = generic_password severity = medium line = 22 matchedText = password...rd",
Medium
Secret Pattern

Hardcoded password in .claude/agents/flow-nexus/authentication.md

.claude/agents/flow-nexus/authentication.mdView on unpkg · L22
29patternName = generic_password severity = medium line = 29 matchedText = passwo...
Medium
Secret Pattern

Hardcoded password in .claude/agents/flow-nexus/authentication.md

.claude/agents/flow-nexus/authentication.mdView on unpkg · L29
43patternName = generic_password severity = medium line = 43 matchedText = new_pass...ord"
Medium
Secret Pattern

Hardcoded password in .claude/agents/flow-nexus/authentication.md

.claude/agents/flow-nexus/authentication.mdView on unpkg · L43
.claude/agents/sparc/refinement.mdView file
41patternName = generic_password severity = medium line = 41 matchedText = password...23!'
Medium
Secret Pattern

Hardcoded password in .claude/agents/sparc/refinement.md

.claude/agents/sparc/refinement.mdView on unpkg · L41
69patternName = generic_password severity = medium line = 69 matchedText = password...ord'
Medium
Secret Pattern

Hardcoded password in .claude/agents/sparc/refinement.md

.claude/agents/sparc/refinement.mdView on unpkg · L69
245patternName = generic_password severity = medium line = 245 matchedText = passwo...
Medium
Secret Pattern

Hardcoded password in .claude/agents/sparc/refinement.md

.claude/agents/sparc/refinement.mdView on unpkg · L245
.claude/commands/flow-nexus/login-registration.mdView file
14patternName = generic_password severity = medium line = 14 matchedText = password...rd",
Medium
Secret Pattern

Hardcoded password in .claude/commands/flow-nexus/login-registration.md

.claude/commands/flow-nexus/login-registration.mdView on unpkg · L14
23patternName = generic_password severity = medium line = 23 matchedText = password...ord"
Medium
Secret Pattern

Hardcoded password in .claude/commands/flow-nexus/login-registration.md

.claude/commands/flow-nexus/login-registration.mdView on unpkg · L23
45patternName = generic_password severity = medium line = 45 matchedText = new_pass...ord"
Medium
Secret Pattern

Hardcoded password in .claude/commands/flow-nexus/login-registration.md

.claude/commands/flow-nexus/login-registration.mdView on unpkg · L45
.claude/skills/flow-nexus-platform/SKILL.mdView file
30patternName = generic_password severity = medium line = 30 matchedText = password...rd",
Medium
Secret Pattern

Hardcoded password in .claude/skills/flow-nexus-platform/SKILL.md

.claude/skills/flow-nexus-platform/SKILL.mdView on unpkg · L30
40patternName = generic_password severity = medium line = 40 matchedText = password...ord"
Medium
Secret Pattern

Hardcoded password in .claude/skills/flow-nexus-platform/SKILL.md

.claude/skills/flow-nexus-platform/SKILL.mdView on unpkg · L40
67patternName = generic_password severity = medium line = 67 matchedText = new_pass...ord"
Medium
Secret Pattern

Hardcoded password in .claude/skills/flow-nexus-platform/SKILL.md

.claude/skills/flow-nexus-platform/SKILL.mdView on unpkg · L67
872patternName = generic_password severity = medium line = 872 matchedText = password...3!",
Medium
Secret Pattern

Hardcoded password in .claude/skills/flow-nexus-platform/SKILL.md

.claude/skills/flow-nexus-platform/SKILL.mdView on unpkg · L872
879patternName = generic_password severity = medium line = 879 matchedText = password...23!"
Medium
Secret Pattern

Hardcoded password in .claude/skills/flow-nexus-platform/SKILL.md

.claude/skills/flow-nexus-platform/SKILL.mdView on unpkg · L879

Findings

3 Critical5 High23 Medium5 Low
CriticalCritical Secretv3/@claude-flow/guidance/dist/manifest-validator.js
CriticalPrevious Version Dangerous Deltav3/@claude-flow/cli/dist/src/init/executor.js
CriticalSecret Patternv3/@claude-flow/guidance/dist/manifest-validator.js
HighChild Processv3/@claude-flow/shared/dist/core/orchestrator/lifecycle-manager.js
HighShellv3/@claude-flow/cli/dist/src/init/executor.js
HighSame File Env Network Executionv3/@claude-flow/cli/dist/src/benchmarks/gaia-tools/grounded_query.js#virtual:normalized:round1
HighRuntime Package Installv3/@claude-flow/cli/dist/src/init/statusline-generator.js
HighPayload In Excluded Dir.claude/statusline-command.sh
MediumDynamic Requirebin/cli.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencev3/@claude-flow/cli/dist/src/init/statusline-generator.js
MediumShips Build Helper.claude/statusline-command.sh
MediumStructural Risk Force Deep Review
MediumSecret Pattern.claude/agents/core/reviewer.md
MediumSecret Pattern.claude/agents/flow-nexus/authentication.md
MediumSecret Pattern.claude/agents/flow-nexus/authentication.md
MediumSecret Pattern.claude/agents/flow-nexus/authentication.md
MediumSecret Pattern.claude/agents/sparc/refinement.md
MediumSecret Pattern.claude/agents/sparc/refinement.md
MediumSecret Pattern.claude/agents/sparc/refinement.md
MediumSecret Pattern.claude/commands/flow-nexus/login-registration.md
MediumSecret Pattern.claude/commands/flow-nexus/login-registration.md
MediumSecret Pattern.claude/commands/flow-nexus/login-registration.md
MediumSecret Pattern.claude/skills/flow-nexus-platform/SKILL.md
MediumSecret Pattern.claude/skills/flow-nexus-platform/SKILL.md
MediumSecret Pattern.claude/skills/flow-nexus-platform/SKILL.md
MediumSecret Pattern.claude/skills/flow-nexus-platform/SKILL.md
MediumSecret Pattern.claude/skills/flow-nexus-platform/SKILL.md
MediumSecret Patternv3/@claude-flow/guidance/dist/analyzer.js
MediumSecret Patternv3/@claude-flow/guidance/dist/analyzer.js
LowScripts Present
LowEvalv3/@claude-flow/guidance/dist/analyzer.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings