registry  /  flowcollab  /  0.3.18

flowcollab@0.3.18

Multi-Claude coordination layer — shared task board + CLI for teams running Claude Code

Static Scan Results

scanned 7d ago · by rust-scanner

Static analysis flagged 16 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 32 file(s), 118 KB of source, external domains: api.github.com, flowcollab.dev, github.com, registry.npmjs.org

Source & flagged code

8 flagged · loading source
bin/comment.mjsView file
13L14: import { execFileSync } from 'child_process'; L15: import { flowFetch, resolveTaskId, positional, arg, die } from './_client.mjs';
High
Child Process

Package source references child process execution.

bin/comment.mjsView on unpkg · L13
bin/_client.mjsView file
19// FLOW_TLS_RESPAWNED guards against an infinite re-spawn loop: if a Node build L20: // ever drops --use-system-ca from execArgv, the execArgv check alone would L21: // re-spawn forever. The env flag survives across the spawn, so we only ever
High
Shell

Package source references shell execution.

bin/_client.mjsView on unpkg · L19
11import { join } from 'path'; L12: import { get as httpsGet } from 'https'; L13: ... L19: // FLOW_TLS_RESPAWNED guards against an infinite re-spawn loop: if a Node build L20: // ever drops --use-system-ca from execArgv, the execArgv check alone would L21: // re-spawn forever. The env flag survives across the spawn, so we only ever ... L24: && !process.execArgv.includes('--use-system-ca') L25: && process.env.FLOW_TLS_RESPAWNED !== '1') { L26: const r = spawnSync(process.execPath, ['--use-system-ca', ...process.argv.slice(1)], {
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

bin/_client.mjsView on unpkg · L11
bin/scan.mjsView file
168{ re: /(?:^|\b)[A-Za-z][A-Za-z0-9_]*(?:SECRET|TOKEN|PASSWORD|PASSWD|API_?KEY|PRIVATE_KEY|ACCESS_KEY)\s*=\s*\S{6,}/i, label: 'Secret in env-style assignment' }, L169: { re: /\beval\s*\(/, label: 'eval() usage (code injection risk)' }, L170: { re: /dangerouslySetInnerHTML/, label: 'dangerouslySetInnerHTML (XSS risk)' },
Low
Eval

Package source references a known benign dynamic code generation pattern.

bin/scan.mjsView on unpkg · L168
bin/flow.mjsView file
6Cross-file remote execution chain: bin/flow.mjs spawns bin/scan.mjs; helper contains network access plus dynamic code execution. L6: L7: import { spawnSync } from 'child_process'; L8: import { readFileSync } from 'fs'; ... L16: // hands this flag to the subcommand, so _client.mjs won't re-spawn a third time. L17: if (process.platform === 'win32' L18: && !process.execArgv.includes('--use-system-ca') L19: && process.env.FLOW_TLS_RESPAWNED !== '1') { L20: const r = spawnSync(process.execPath, ['--use-system-ca', ...process.argv.slice(1)], { ... L67: try { L68: const pkg = JSON.parse(readFileSync(new URL('../package.json', import.meta.url), 'utf8')); L69: version = ` v${pkg.version}`; ... L71:
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

bin/flow.mjsView on unpkg · L6
113try { L114: await import(new URL(target, import.meta.url)); L115: } catch (e) {
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/flow.mjsView on unpkg · L113
bin/login.mjsView file
18: `xdg-open "${url}"`; L19: exec(cmd); L20: } catch { /* best-effort */ } ... L24: // 1. Request device code from server L25: const r = await fetch(`${base}/api/flow/auth/device`, { L26: method: 'POST', ... L33: // 2. Show instructions and open browser L34: process.stdout.write('\nAuthorize Flow CLI\n\n'); L35: process.stdout.write(` Visit: ${url}\n`);
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

bin/login.mjsView on unpkg · L18
3Usage: L4: flow-login [--server=https://flowcollab.dev] L5: */ ... L8: import { join } from 'path'; L9: import { exec } from 'child_process'; L10: L11: const serverArg = process.argv.find(a => a.startsWith('--server='))?.slice(9); L12: const base = (serverArg || process.env.FLOW_API_BASE || 'https://flowcollab.dev').replace(/\/+$/, ''); L13: ... L15: try { L16: const cmd = process.platform === 'darwin' ? `open "${url}"` L17: : process.platform === 'win32' ? `start "" "${url}"`
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

bin/login.mjsView on unpkg · L3

Findings

6 High4 Medium6 Low
HighChild Processbin/comment.mjs
HighShellbin/_client.mjs
HighSame File Env Network Executionbin/_client.mjs
HighCommand Output Exfiltrationbin/login.mjs
HighSandbox Evasion Gated Capabilitybin/login.mjs
HighCross File Remote Execution Contextbin/flow.mjs
MediumDynamic Requirebin/flow.mjs
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowEvalbin/scan.mjs
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License