registry  /  cool-workflow  /  0.1.97

cool-workflow@0.1.97

A workflow control plane and run-time you are able to check: it sends out jobs in TypeScript, makes certain of work against facts before it goes through, puts state into fixed records, orders jobs by time, runs jobs again and again, gets a group of agents

Static Scan Results

scanned 5d ago · by rust-scanner

Static analysis flagged 12 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 210 file(s), 2.12 MB of source, external domains: github.com, nodejs.org, raw.githubusercontent.com, www.npmjs.com

Source & flagged code

5 flagged · loading source
dist/commit.jsView file
9const node_path_1 = __importDefault(require("node:path")); L10: const node_child_process_1 = require("node:child_process"); L11: const state_1 = require("./state");
High
Child Process

Package source references child process execution.

dist/commit.jsView on unpkg · L9
dist/reporter.jsView file
15exports.createReporter = createReporter; L16: const term_1 = require("./term"); L17: function isTTY(stream) {
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/reporter.jsView on unpkg · L15
dist/remote-source.js#virtual:normalized:round1View file
269} L270: const child = "const fs=require('fs');const [url,out,cap]=[process.argv[1],process.argv[2],Number(process.argv[3])];const priv=(h)=>{h=String(h).replace(/^\\[|\\]$/g,'').toLowerCas... L271: const result = (0, child_process.spawnSync)(process.execPath, ["-e", child, rawUrl, dest, String(MAX_ARCHIVE_BYTES)], { L272: encoding: "utf8", L273: timeout: opts.timeoutMs || 120000, L274: env: opts.env || process.env, L275: stdio: ["ignore", "ignore", "pipe"]
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/remote-source.js#virtual:normalized:round1View on unpkg · L269
dist/remote-source.jsView file
280"for(let i=0;i<6;i++){", L281: "const r=await fetch(u,{redirect:'manual'});", L282: "if(r.status>=300&&r.status<400&&r.headers.get('location')){", L283: "const nx=new URL(r.headers.get('location'),u);", L284: "if(!/^https?:$/.test(nx.protocol)){process.stderr.write('redirect to disallowed scheme '+nx.protocol);process.exit(5);}", L285: "if(priv(nx.hostname)){process.stderr.write('redirect to a private/internal host was blocked');process.exit(5);}", ... L295: ].join(""); L296: const result = (0, node_child_process_1.spawnSync)(process.execPath, ["-e", child, rawUrl, dest, String(MAX_ARCHIVE_BYTES)], { L297: encoding: "utf8",
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/remote-source.jsView on unpkg · L280
scripts/release-gate.shView file
path = scripts/release-gate.sh kind = build_helper sizeBytes = 4456 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

scripts/release-gate.shView on unpkg

Findings

3 High5 Medium4 Low
HighChild Processdist/commit.js
HighSame File Env Network Executiondist/remote-source.js#virtual:normalized:round1
HighCommand Output Exfiltrationdist/remote-source.js
MediumDynamic Requiredist/reporter.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperscripts/release-gate.sh
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings