Static analysis flagged 25 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Package contains a high-severity secret pattern.
claude_cowork/src/tools/update copy.jsView on unpkg · L2Google API key in claude_cowork/src/tools/update copy.js
claude_cowork/src/tools/update copy.jsView on unpkg · L2Package source references a known benign dynamic code generation pattern.
Package source references dynamic require/import behavior.
configs-example.jsView on unpkg · L33Package source references weak cryptographic algorithms.
claude_cowork/src/models/schedule.jsView on unpkg · L18Source contains an obfuscator-style string-array loader that reconstructs and executes hidden code.
server/route.jsView on unpkg · L1Package ships non-JavaScript build or shell helper files.
enable_mongo_replica.shView on unpkgPackage ships compressed or archive-like blobs.
claude_cowork/src/templates/excels/pc1.xlsxView on unpkgPackage ships a nested archive or MCP bundle that was inventoried but not recursively analyzed.
claude_cowork/src/templates/excels/pc1.xlsxView on unpkgPackage ships high-entropy non-source blobs.
claude_cowork/src/templates/excels/pn5.xlsxView on unpkgPackage contains source files above the static scanner size ceiling.
claude_cowork/src/data/sys/listinfo.jsView on unpkgGoogle API key in claude_cowork/src/tools/create_province.js
claude_cowork/src/tools/create_province.jsView on unpkg · L2Google API key in claude_cowork/src/tools/resetPassword.js
claude_cowork/src/tools/resetPassword.jsView on unpkg · L2Google API key in claude_cowork/src/tools/set_px_gia_dd.js
claude_cowork/src/tools/set_px_gia_dd.jsView on unpkg · L2Google API key in claude_cowork/src/tools/update_system.js
claude_cowork/src/tools/update_system.jsView on unpkg · L2Package contains a high-severity secret pattern.
claude_cowork/src/tools/update copy.jsView on unpkg · L2Google API key in claude_cowork/src/tools/update copy.js
claude_cowork/src/tools/update copy.jsView on unpkg · L2Package source references a known benign dynamic code generation pattern.
claude_cowork/src/agents/tools/utils.jsView on unpkg · L211Package source references dynamic require/import behavior.
configs-example.jsView on unpkg · L33Package source references weak cryptographic algorithms.
claude_cowork/src/models/schedule.jsView on unpkg · L18Source contains an obfuscator-style string-array loader that reconstructs and executes hidden code.
server/route.jsView on unpkg · L1Package ships non-JavaScript build or shell helper files.
enable_mongo_replica.shView on unpkgPackage ships compressed or archive-like blobs.
claude_cowork/src/templates/excels/pc1.xlsxView on unpkgPackage ships a nested archive or MCP bundle that was inventoried but not recursively analyzed.
claude_cowork/src/templates/excels/pc1.xlsxView on unpkgPackage ships high-entropy non-source blobs.
claude_cowork/src/templates/excels/pn5.xlsxView on unpkgPackage contains source files above the static scanner size ceiling.
claude_cowork/src/data/sys/listinfo.jsView on unpkgGoogle API key in claude_cowork/src/tools/create_province.js
claude_cowork/src/tools/create_province.jsView on unpkg · L2Google API key in claude_cowork/src/tools/resetPassword.js
claude_cowork/src/tools/resetPassword.jsView on unpkg · L2Google API key in claude_cowork/src/tools/set_px_gia_dd.js
claude_cowork/src/tools/set_px_gia_dd.jsView on unpkg · L2Google API key in claude_cowork/src/tools/update_system.js
claude_cowork/src/tools/update_system.jsView on unpkg · L2