registry  /  claude-nomad  /  0.58.0

claude-nomad@0.58.0

Sync Claude Code config (~/.claude/) across machines via a private Git repo, with path remapping and per-host settings overrides.

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 13 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 275 KB of source, external domains: cli.github.com, funkadelic.github.io, github.com, json.schemastore.org, registry.npmjs.org

Source & flagged code

7 flagged · loading source
.gitleaks.tomlView file
48patternName = github_pat severity = critical line = 48 matchedText = '''ghp_x...''',
Critical
Critical Secret

Package contains a critical-looking secret pattern.

.gitleaks.tomlView on unpkg · L48
48patternName = github_pat severity = critical line = 48 matchedText = '''ghp_x...''',
Critical
Secret Pattern

GitHub personal access token in .gitleaks.toml

.gitleaks.tomlView on unpkg · L48
49patternName = github_pat severity = critical line = 49 matchedText = '''ghp_x...''',
Critical
Secret Pattern

GitHub personal access token in .gitleaks.toml

.gitleaks.tomlView on unpkg · L49
50patternName = github_pat severity = critical line = 50 matchedText = '''ghp_A...''',
Critical
Secret Pattern

GitHub personal access token in .gitleaks.toml

.gitleaks.tomlView on unpkg · L50
51patternName = github_pat severity = critical line = 51 matchedText = '''ghp_A...''',
Critical
Secret Pattern

GitHub personal access token in .gitleaks.toml

.gitleaks.tomlView on unpkg · L51
dist/nomad.mjsView file
matchType = previous_version_dangerous_delta matchedPackage = claude-nomad@0.56.1 matchedIdentity = npm:Y2xhdWRlLW5vbWFk:0.56.1 similarity = 0.500 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/nomad.mjsView on unpkg
103var env = p.env || {}; L104: var isColorSupported = !(!!env.NO_COLOR || argv.includes("--no-color")) && (!!env.FORCE_COLOR || argv.includes("--color") || p.platform === "win32" || (p.stdout || {}).isTTY && env... L105: var formatter = (open, close, replace = open) => (input) => { ... L183: bold = (s) => enabled ? import_picocolors.default.bold(s) : s; L184: wslNarrowPad = process.env.WSL_DISTRO_NAME ? " " : ""; L185: okGlyph = `\u2713${wslNarrowPad}`; ... L192: // src/utils.ts L193: import { execFileSync } from "node:child_process"; L194: function gitCaptureRaw(args, cwd) { ... L212: const e = err; L213: if (e.stderr) process.stderr.write(e.stderr); L214: throw new NomadFatal(`${context} failed`);
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/nomad.mjsView on unpkg · L103

Findings

5 Critical1 High2 Medium5 Low
CriticalCritical Secret.gitleaks.toml
CriticalSecret Pattern.gitleaks.toml
CriticalSecret Pattern.gitleaks.toml
CriticalSecret Pattern.gitleaks.toml
CriticalSecret Pattern.gitleaks.toml
HighPrevious Version Dangerous Deltadist/nomad.mjs
MediumEnvironment Vars
MediumInstall Persistencedist/nomad.mjs
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings