registry  /  customize-agent  /  2.1.31

customize-agent@2.1.31

通用终端 AI 助手 — 原生 Function Calling + 双语 TUI + 三级模型分层

Static Scan Results

scanned 9d ago · by rust-scanner

Static analysis completed at 93.0% confidence. No malicious behavior was detected; 15 low-signal pattern(s) were surfaced and cleared.

Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNativeBindingsNetworkShell
Supply chain
HighEntropyStringsObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 145 file(s), 871 KB of source, external domains: api.anthropic.com, api.deepseek.com, generativelanguage.googleapis.com, github.com, openrouter.ai

Source & flagged code

6 flagged · loading source
dist/tui/file-index.jsView file
4*/ L5: import { execFileSync } from 'child_process'; L6: import glob from 'fast-glob';
High
Child Process

Package source references child process execution.

dist/tui/file-index.jsView on unpkg · L4
dist/index.jsView file
282return { client, status: `ChromaDB: 已连接 ${client.baseUrl}` }; L283: const { spawn } = await import('child_process'); L284: let port = chromaPort(client); ... L286: port += 1; L287: process.env.CHROMA_URL = `http://localhost:${port}`; L288: client = new ChromaHttpClient();
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/index.jsView on unpkg · L282
matchType = previous_version_dangerous_delta matchedPackage = customize-agent@2.1.28 matchedIdentity = npm:Y3VzdG9taXplLWFnZW50:2.1.28 similarity = 0.992 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/index.jsView on unpkg
35if (process.platform === 'win32') { L36: const { execSync } = require('child_process'); L37: execSync(`taskkill /F /PID ${pid}`, { timeout: 3000, stdio: 'ignore' });
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/index.jsView on unpkg · L35
dist/server-bundle/apps/server/.next/server/chunks/5076.jsView file
path = dist/server-bundle/apps/server/.next/server/chunks/5076.js kind = payload_in_excluded_dir sizeBytes = 2459403 magicHex = [redacted]
High
Payload In Excluded Dir

Package hides binary, compressed, or executable-looking payloads in test/fixture/hidden paths.

dist/server-bundle/apps/server/.next/server/chunks/5076.jsView on unpkg
path = dist/server-bundle/apps/server/.next/server/chunks/5076.js kind = oversized_source_file sizeBytes = 2459403 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/server-bundle/apps/server/.next/server/chunks/5076.jsView on unpkg

Findings

6 High4 Medium5 Low
HighChild Processdist/tui/file-index.js
HighShell
HighSame File Env Network Executiondist/index.js
HighPayload In Excluded Dirdist/server-bundle/apps/server/.next/server/chunks/5076.js
HighOversized Source Filedist/server-bundle/apps/server/.next/server/chunks/5076.js
HighPrevious Version Dangerous Deltadist/index.js
MediumDynamic Requiredist/index.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings