registry  /  customize-agent  /  2.1.27

customize-agent@2.1.27

通用终端 AI 助手 — 原生 Function Calling + 双语 TUI + 三级模型分层

Static Scan Results

scanned 9d ago · by rust-scanner

Static analysis flagged 16 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNativeBindingsNetworkShell
Supply chain
HighEntropyStringsObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 145 file(s), 870 KB of source, external domains: api.anthropic.com, api.deepseek.com, generativelanguage.googleapis.com, github.com, openrouter.ai

Source & flagged code

7 flagged · loading source
package.jsonView file
scripts.postinstall = node dist/server-bundle/setup.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
dist/tui/file-index.jsView file
4*/ L5: import { execFileSync } from 'child_process'; L6: import glob from 'fast-glob';
High
Child Process

Package source references child process execution.

dist/tui/file-index.jsView on unpkg · L4
dist/scripts/kill-server.cjsView file
2// Order: kill CLI first (prevents auto-restart of server) → kill server → wait for handle release L3: var execSync = require('child_process').execSync; L4: var isWin = process.platform === 'win32';
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/scripts/kill-server.cjsView on unpkg · L2
dist/index.jsView file
270return { client, status: `ChromaDB: 已连接 ${client.baseUrl}` }; L271: const { spawn } = await import('child_process'); L272: let port = chromaPort(client); ... L274: port += 1; L275: process.env.CHROMA_URL = `http://localhost:${port}`; L276: client = new ChromaHttpClient();
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/index.jsView on unpkg · L270
matchType = previous_version_dangerous_delta matchedPackage = customize-agent@2.1.19 matchedIdentity = npm:Y3VzdG9taXplLWFnZW50:2.1.19 similarity = 0.992 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/index.jsView on unpkg
dist/server-bundle/apps/server/.next/server/chunks/5076.jsView file
path = dist/server-bundle/apps/server/.next/server/chunks/5076.js kind = payload_in_excluded_dir sizeBytes = 2459403 magicHex = [redacted]
High
Payload In Excluded Dir

Package hides binary, compressed, or executable-looking payloads in test/fixture/hidden paths.

dist/server-bundle/apps/server/.next/server/chunks/5076.jsView on unpkg
path = dist/server-bundle/apps/server/.next/server/chunks/5076.js kind = oversized_source_file sizeBytes = 2459403 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/server-bundle/apps/server/.next/server/chunks/5076.jsView on unpkg

Findings

7 High4 Medium5 Low
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processdist/tui/file-index.js
HighShell
HighSame File Env Network Executiondist/index.js
HighPayload In Excluded Dirdist/server-bundle/apps/server/.next/server/chunks/5076.js
HighOversized Source Filedist/server-bundle/apps/server/.next/server/chunks/5076.js
HighPrevious Version Dangerous Deltadist/index.js
MediumDynamic Requiredist/scripts/kill-server.cjs
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings