registry  /  claw-coder  /  0.1.3

claw-coder@0.1.3

Claw coder is a local first AI agent that turns local coding small LLMs into powerful AI agents that actually work

Static Scan Results

scanned 32m ago · by rust-scanner

Static analysis flagged 11 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 29.6 KB of source, external domains: api.github.com, github.com, yourref.supabase.co

Source & flagged code

4 flagged · loading source
bin/auth.jsView file
215try { L216: require("child_process").execSync(`${cmd} "${device.verification_uri}"`, { stdio: "ignore" }); L217: } catch {}
High
Child Process

Package source references child process execution.

bin/auth.jsView on unpkg · L215
2L3: const fs = require("node:fs"); L4: const os = require("node:os");
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/auth.jsView on unpkg · L2
bin/claw-coder.jsView file
518console.error(err.message); L519: process.exitCode = 1; L520: return; ... L522: console.log("Creating checkout for the $30/month Claw Coder plan..."); L523: apiFetch("/checkout", session, { method: "POST", body: JSON.stringify({}) }) L524: .then((data) => { ... L533: try { L534: spawnSync(opener, [data.checkout_url], { L535: stdio: "ignore",
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

bin/claw-coder.jsView on unpkg · L518
agent_sever.pyView file
path = agent_sever.py kind = build_helper sizeBytes = 24186 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

agent_sever.pyView on unpkg

Findings

2 High5 Medium4 Low
HighChild Processbin/auth.js
HighCommand Output Exfiltrationbin/claw-coder.js
MediumDynamic Requirebin/auth.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperagent_sever.py
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings