registry  /  flowcollab  /  0.3.21

flowcollab@0.3.21

⚠ Under review

Multi-Claude coordination layer — shared task board + CLI for teams running Claude Code

Static Scan Results

scanned 6d ago · by rust-scanner

Static analysis flagged 16 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 33 file(s), 126 KB of source, external domains: api.github.com, flowcollab.dev, github.com, registry.npmjs.org

Source & flagged code

8 flagged · loading source
bin/comment.mjsView file
13L14: import { execFileSync } from 'child_process'; L15: import { flowFetch, resolveTaskId, positional, arg, die } from './_client.mjs';
High
Child Process

Package source references child process execution.

bin/comment.mjsView on unpkg · L13
bin/_client.mjsView file
19// FLOW_TLS_RESPAWNED guards against an infinite re-spawn loop: if a Node build L20: // ever drops --use-system-ca from execArgv, the execArgv check alone would L21: // re-spawn forever. The env flag survives across the spawn, so we only ever
High
Shell

Package source references shell execution.

bin/_client.mjsView on unpkg · L19
11import { join } from 'path'; L12: import { get as httpsGet } from 'https'; L13: ... L19: // FLOW_TLS_RESPAWNED guards against an infinite re-spawn loop: if a Node build L20: // ever drops --use-system-ca from execArgv, the execArgv check alone would L21: // re-spawn forever. The env flag survives across the spawn, so we only ever ... L24: && !process.execArgv.includes('--use-system-ca') L25: && process.env.FLOW_TLS_RESPAWNED !== '1') { L26: const r = spawnSync(process.execPath, ['--use-system-ca', ...process.argv.slice(1)], {
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

bin/_client.mjsView on unpkg · L11
bin/scan.mjsView file
173{ re: /(?:^|\b)[A-Za-z][A-Za-z0-9_]*(?:SECRET|TOKEN|PASSWORD|PASSWD|API_?KEY|PRIVATE_KEY|ACCESS_KEY)\s*=\s*\S{6,}/i, label: 'Secret in env-style assignment' }, L174: { re: /\beval\s*\(/, label: 'eval() usage (code injection risk)' }, L175: { re: /dangerouslySetInnerHTML/, label: 'dangerouslySetInnerHTML (XSS risk)' },
Low
Eval

Package source references a known benign dynamic code generation pattern.

bin/scan.mjsView on unpkg · L173
bin/flow.mjsView file
78try { L79: await import(new URL(target, import.meta.url)); L80: } catch (e) {
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/flow.mjsView on unpkg · L78
bin/login.mjsView file
matchType = previous_version_dangerous_delta matchedPackage = flowcollab@0.3.19 matchedIdentity = npm:Zmxvd2NvbGxhYg:0.3.19 similarity = 0.394 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

bin/login.mjsView on unpkg
38: ['xdg-open', [url]]; L39: execFile(file, args); L40: } catch { /* best-effort */ } ... L44: // 1. Request device code from server L45: const r = await fetch(`${base}/api/flow/auth/device`, { L46: method: 'POST', ... L53: // 2. Show instructions and open browser L54: process.stdout.write('\nAuthorize Flow CLI\n\n'); L55: process.stdout.write(` Visit: ${url}\n`);
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

bin/login.mjsView on unpkg · L38
3Usage: L4: flow-login [--server=https://flowcollab.dev] L5: */ ... L8: import { join } from 'path'; L9: import { execFile, spawnSync } from 'child_process'; L10: ... L14: // router already re-spawned, so FLOW_TLS_RESPAWNED=1 makes this a no-op. L15: if (process.platform === 'win32' L16: && !process.execArgv.includes('--use-system-ca') L17: && process.env.FLOW_TLS_RESPAWNED !== '1') { L18: const r = spawnSync(process.execPath, ['--use-system-ca', ...process.argv.slice(1)], { ... L50: if (!r.ok) throw new Error(`Server error: ${r.status}`);
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

bin/login.mjsView on unpkg · L3

Findings

1 Critical5 High4 Medium6 Low
CriticalPrevious Version Dangerous Deltabin/login.mjs
HighChild Processbin/comment.mjs
HighShellbin/_client.mjs
HighSame File Env Network Executionbin/_client.mjs
HighCommand Output Exfiltrationbin/login.mjs
HighSandbox Evasion Gated Capabilitybin/login.mjs
MediumDynamic Requirebin/flow.mjs
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowEvalbin/scan.mjs
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License