registry  /  flowcollab  /  0.3.30

flowcollab@0.3.30

Multi-Claude coordination layer — shared task board CLI for teams running Claude Code

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 13 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 37 file(s), 149 KB of source, external domains: api.github.com, flowcollab.dev, github.com, registry.npmjs.org

Source & flagged code

6 flagged · loading source
bin/comment.mjsView file
13L14: import { execFileSync } from 'child_process'; L15: import { flowFetch, resolveTaskId, positional, arg, die } from './_client.mjs';
High
Child Process

Package source references child process execution.

bin/comment.mjsView on unpkg · L13
bin/_client.mjsView file
19// FLOW_TLS_RESPAWNED guards against an infinite re-spawn loop: if a Node build L20: // ever drops --use-system-ca from execArgv, the execArgv check alone would L21: // re-spawn forever. The env flag survives across the spawn, so we only ever
High
Shell

Package source references shell execution.

bin/_client.mjsView on unpkg · L19
11import { join } from 'path'; L12: import { get as httpsGet } from 'https'; L13: ... L19: // FLOW_TLS_RESPAWNED guards against an infinite re-spawn loop: if a Node build L20: // ever drops --use-system-ca from execArgv, the execArgv check alone would L21: // re-spawn forever. The env flag survives across the spawn, so we only ever ... L24: && !process.execArgv.includes('--use-system-ca') L25: && process.env.FLOW_TLS_RESPAWNED !== '1') { L26: const r = spawnSync(process.execPath, ['--use-system-ca', ...process.argv.slice(1)], {
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

bin/_client.mjsView on unpkg · L11
bin/scan.mjsView file
174{ re: /(?:^|\b)[A-Za-z][A-Za-z0-9_]*(?:SECRET|TOKEN|PASSWORD|PASSWD|API_?KEY|PRIVATE_KEY|ACCESS_KEY)\s*=\s*\S{6,}/i, label: 'Secret in env-style assignment' }, L175: { re: /\beval\s*\(/, label: 'eval() usage (code injection risk)' }, L176: { re: /dangerouslySetInnerHTML/, label: 'dangerouslySetInnerHTML (XSS risk)' },
Low
Eval

Package source references a known benign dynamic code generation pattern.

bin/scan.mjsView on unpkg · L174
bin/flow.mjsView file
78try { L79: await import(new URL(target, import.meta.url)); L80: } catch (e) {
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/flow.mjsView on unpkg · L78
bin/login.mjsView file
3Usage: L4: flow-login [--server=https://flowcollab.dev] [--as="<agent name>"] L5: ... L18: import { join } from 'path'; L19: import { execFile, spawnSync } from 'child_process'; L20: ... L24: // router already re-spawned, so FLOW_TLS_RESPAWNED=1 makes this a no-op. L25: if (process.platform === 'win32' L26: && !process.execArgv.includes('--use-system-ca') L27: && process.env.FLOW_TLS_RESPAWNED !== '1') { L28: const r = spawnSync(process.execPath, ['--use-system-ca', ...process.argv.slice(1)], { ... L59: headers: { 'Content-Type': 'application/json' },
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

bin/login.mjsView on unpkg · L3

Findings

4 High4 Medium5 Low
HighChild Processbin/comment.mjs
HighShellbin/_client.mjs
HighSame File Env Network Executionbin/_client.mjs
HighSandbox Evasion Gated Capabilitybin/login.mjs
MediumDynamic Requirebin/flow.mjs
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowEvalbin/scan.mjs
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License