registry  /  elowen  /  0.12.0

elowen@0.12.0

ELOWEN — an autonomous coding-agent orchestrator with an autopilot overseer, daemon API and web UI. Install globally and run `elowen`.

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 21 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedObfuscatedTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 465 file(s), 7.16 MB of source, external domains: 127.0.0.1, api.anthropic.com, api.cerebras.ai, api.deepinfra.com, api.deepseek.com, api.fireworks.ai, api.groq.com, api.mistral.ai, api.moonshot.ai, api.openai.com, api.perplexity.ai, api.together.xyz, api.x.ai, api.z.ai, bugzilla.mozilla.org, code.google.com, code.visualstudio.com, developer.mozilla.org, developers.google.com, discord.com, drafts.csswg.org, elowen.dragocz.dev, en.wikipedia.org, generativelanguage.googleapis.com, github.com, googlechrome.github.io, hacks.mozilla.org, help.yahoo.com, html.spec.whatwg.org, inference.baseten.co, integrate.api.nvidia.com, json-schema.org, ollama.com, opencode.ai, openrouter.ai, r12a.github.io, registry.npmjs.org, router.huggingface.co, sass-lang.com, schema.org, stackoverflow.com, support.google.com, tools.ietf.org, wiki.whatwg.org, www.bing.com, www.dmoz.org, www.iana.org, www.ietf.org, www.w3.org, www.whatwg.org
Oversized source lightweight scan
web-dist/public/monaco/vs/assets/ts.worker-CMbG-7ft.js6.69 MB file, sampled 256 KB
FilesystemNetworkChildProcessEnvironmentVarsShell
web-dist/public/monaco/vs/editor.api-CalNCsUg.js3.50 MB file, sampled 256 KB
ChildProcessEnvironmentVarsShellObfuscatedHighEntropyStringsMinified

Source & flagged code

11 flagged · loading source
web-dist/.next/server/chunks/ssr/_1zwa-4-._.jsView file
1patternName = generic_password severity = medium line = 1 matchedText = module.e...)}];
Medium
Secret Pattern

Package contains a possible secret pattern.

web-dist/.next/server/chunks/ssr/_1zwa-4-._.jsView on unpkg · L1
dist/plugins/terminal/index.mjsView file
8import { Type } from 'typebox'; L9: import { spawn } from 'node:child_process'; L10:
High
Child Process

Package source references child process execution.

dist/plugins/terminal/index.mjsView on unpkg · L8
web-dist/public/monaco/vs/assets/css.worker-HnVq6Ewq.jsView file
6`).slice(2).join(` L7: `))}}class fh extends Error{constructor(e,n){super(e),this.name="ListenerLeakError",this.stack=n}}class gh extends Error{constructor(e,n){super(e),this.name="ListenerRefusalError",... L8: `||t===" "}class er{constructor(e,n,r){this.changes=e,this.moves=n,this.hitTimeout=r}}class jd{constructor(e,n){this.lineRangeMapping=e,this.changes=n}}function Hd(t,e,n=(r,i)=>r==...
High
Shell

Package source references shell execution.

web-dist/public/monaco/vs/assets/css.worker-HnVq6Ewq.jsView on unpkg · L6
web-dist/public/monaco/vs/loader.jsView file
437try { L438: return (e ? self.eval(e.createScript('', 'true')) : new Function('true')).call(self), !0; L439: } catch {
Low
Eval

Package source references a known benign dynamic code generation pattern.

web-dist/public/monaco/vs/loader.jsView on unpkg · L437
web-dist/server.jsView file
4import module from 'node:module' L5: const require = module.createRequire(import.meta.url) L6: const __dirname = fileURLToPath(new URL('.', import.meta.url))
Medium
Dynamic Require

Package source references dynamic require/import behavior.

web-dist/server.jsView on unpkg · L4
dist/cli/install/index.jsView file
14import { INSTALL_INFO_PATH, serializeInstallInfo } from '../installInfo.js'; L15: const DAEMON_PORT = Number((process.env.ELOWEN_PORT) ?? 4400); L16: const WEB_PORT = Number((process.env.ELOWEN_WEB_PORT) ?? 4500); ... L21: if (d.mode === 'ip') L22: return `http://${d.host}:${WEB_PORT}`; L23: return `http://localhost:${WEB_PORT}`; ... L36: const res = await r.exec('npm', ['prefix', '-g']); L37: return join(res.stdout.trim() || '/usr/local', 'bin'); L38: } ... L99: method: 'POST', headers: { 'content-type': 'application/json' }, L100: body: JSON.stringify({ username, password }), L101: });
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/cli/install/index.jsView on unpkg · L14
dist/cli/index.jsView file
1#!/usr/bin/env node L2: import { spawn } from 'node:child_process'; L3: import { realpathSync } from 'node:fs'; ... L11: import { interactiveLogin, launchChat } from './chat/launch.js'; L12: const BASE = (process.env.ELOWEN_URL) ?? 'http://localhost:4400'; L13: const USAGE = "usage: elowen [command] [options] — run `elowen --help` for the full command list";
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/cli/index.jsView on unpkg · L1
web-dist/.next/server/app/apple-icon.png.bodyView file
path = web-dist/.next/server/app/apple-icon.png.body kind = high_entropy_blob sizeBytes = 20884 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

web-dist/.next/server/app/apple-icon.png.bodyView on unpkg
path = web-dist/.next/server/app/apple-icon.png.body kind = payload_in_excluded_dir sizeBytes = 20884 magicHex = [redacted]
High
Payload In Excluded Dir

Package hides binary, compressed, or executable-looking payloads in test/fixture/hidden paths.

web-dist/.next/server/app/apple-icon.png.bodyView on unpkg
web-dist/public/monaco/vs/assets/ts.worker-CMbG-7ft.jsView file
path = web-dist/public/monaco/vs/assets/ts.worker-CMbG-7ft.js kind = oversized_source_file sizeBytes = 7011550 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

web-dist/public/monaco/vs/assets/ts.worker-CMbG-7ft.jsView on unpkg
web-dist/.next/static/chunks/2cz4m1w6gut_4.jsView file
1patternName = generic_password severity = medium line = 1 matchedText = (globalT...}]);
Medium
Secret Pattern

Hardcoded password in web-dist/.next/static/chunks/2cz4m1w6gut_4.js

web-dist/.next/static/chunks/2cz4m1w6gut_4.jsView on unpkg · L1

Findings

6 High7 Medium8 Low
HighChild Processdist/plugins/terminal/index.mjs
HighShellweb-dist/public/monaco/vs/assets/css.worker-HnVq6Ewq.js
HighSame File Env Network Executiondist/cli/index.js
HighShips High Entropy Blobweb-dist/.next/server/app/apple-icon.png.body
HighPayload In Excluded Dirweb-dist/.next/server/app/apple-icon.png.body
HighOversized Source Fileweb-dist/public/monaco/vs/assets/ts.worker-CMbG-7ft.js
MediumSecret Patternweb-dist/.next/server/chunks/ssr/_1zwa-4-._.js
MediumDynamic Requireweb-dist/server.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/cli/install/index.js
MediumStructural Risk Force Deep Review
MediumSecret Patternweb-dist/.next/static/chunks/2cz4m1w6gut_4.js
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvalweb-dist/public/monaco/vs/loader.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings