registry  /  flowcollab  /  0.3.31

flowcollab@0.3.31

Multi-Claude coordination layer — shared task board CLI for teams running Claude Code

Static Scan Results

scanned 8h ago · by rust-scanner

Static analysis flagged 14 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 37 file(s), 163 KB of source, external domains: api.github.com, flowcollab.dev, github.com, registry.npmjs.org

Source & flagged code

7 flagged · loading source
bin/comment.mjsView file
13L14: import { execFileSync } from 'child_process'; L15: import { flowFetch, resolveTaskId, positional, arg, die } from './_client.mjs';
High
Child Process

Package source references child process execution.

bin/comment.mjsView on unpkg · L13
bin/_client.mjsView file
26// FLOW_TLS_RESPAWNED guards against an infinite re-spawn loop: if a Node build L27: // ever drops --use-system-ca from execArgv, the execArgv check alone would L28: // re-spawn forever. The env flag survives across the spawn, so we only ever
High
Shell

Package source references shell execution.

bin/_client.mjsView on unpkg · L26
21// On Windows, Node's bundled CA store doesn't include certs added by corporate/AV L22: // TLS inspection software, causing fetch() to throw "fetch failed". Re-spawn with L23: // --use-system-ca so Node trusts the Windows certificate store instead. ... L26: // FLOW_TLS_RESPAWNED guards against an infinite re-spawn loop: if a Node build L27: // ever drops --use-system-ca from execArgv, the execArgv check alone would L28: // re-spawn forever. The env flag survives across the spawn, so we only ever ... L31: && !process.execArgv.includes('--use-system-ca') L32: && process.env.FLOW_TLS_RESPAWNED !== '1') { L33: const r = spawnSync(process.execPath, ['--use-system-ca', ...process.argv.slice(1)], {
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

bin/_client.mjsView on unpkg · L21
bin/scan.mjsView file
174{ re: /(?:^|\b)[A-Za-z][A-Za-z0-9_]*(?:SECRET|TOKEN|PASSWORD|PASSWD|API_?KEY|PRIVATE_KEY|ACCESS_KEY)\s*=\s*\S{6,}/i, label: 'Secret in env-style assignment' }, L175: { re: /\beval\s*\(/, label: 'eval() usage (code injection risk)' }, L176: { re: /dangerouslySetInnerHTML/, label: 'dangerouslySetInnerHTML (XSS risk)' },
Low
Eval

Package source references a known benign dynamic code generation pattern.

bin/scan.mjsView on unpkg · L174
bin/flow.mjsView file
92try { L93: await import(new URL(target, import.meta.url)); L94: } catch (e) {
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/flow.mjsView on unpkg · L92
bin/login.mjsView file
3Usage: L4: flow-login [--server=https://flowcollab.dev] [--as="<agent name>"] L5: ... L18: import { join } from 'path'; L19: import { execFile, spawnSync } from 'child_process'; L20: import { helpGuard } from './_commands.mjs'; ... L30: // router already re-spawned, so FLOW_TLS_RESPAWNED=1 makes this a no-op. L31: if (process.platform === 'win32' L32: && !process.execArgv.includes('--use-system-ca') L33: && process.env.FLOW_TLS_RESPAWNED !== '1') { L34: const r = spawnSync(process.execPath, ['--use-system-ca', ...process.argv.slice(1)], { ... L65: headers: { 'Content-Type': 'application/json' },
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

bin/login.mjsView on unpkg · L3
matchType = previous_version_dangerous_delta matchedPackage = flowcollab@0.3.30 matchedIdentity = npm:Zmxvd2NvbGxhYg:0.3.30 similarity = 0.649 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

bin/login.mjsView on unpkg

Findings

5 High4 Medium5 Low
HighChild Processbin/comment.mjs
HighShellbin/_client.mjs
HighSame File Env Network Executionbin/_client.mjs
HighSandbox Evasion Gated Capabilitybin/login.mjs
HighPrevious Version Dangerous Deltabin/login.mjs
MediumDynamic Requirebin/flow.mjs
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowEvalbin/scan.mjs
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License