registry  /  getwayland  /  0.11.9

getwayland@0.11.9

Self-host Wayland - your always-on AI agent - on any Linux box or VPS. Headless web server, reachable from your phone.

Static Scan Results

scanned 4d ago · by rust-scanner

Static analysis flagged 36 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNativeBindingsNetworkShell
Supply chain
HighEntropyStringsMinifiedObfuscatedTelemetryUrlStrings
Manifest
CopyleftLicense
scanned 547 file(s), 23.0 MB of source, external domains: 100.100.100.200, 127.0.0.1, 169.254, 169.254.169.254, 192.168.1.100, account.box.com, account.mapbox.com, account.microsoft.com, admin.atlassian.com, admin.google.com, admin.typeform.com, ai.todoist.net, airtable.com, aistudio.google.com, api-dashboard.search.brave.com, api.cal.com, api.dashboard.plaid.com, api.fluxrouter.ai, api.githubcopilot.com, api.raindrop.io, api.ref.tools, api.slack.com, api.typeform.com, api.you.com, app.agentmail.to, app.attio.com, app.axiom.co, app.box.com, app.cal.com, app.circleci.com, app.element.io, app.hubspot.com, app.linkup.so, app.netlify.com, app.pagerduty.com, app.pinecone.io, app.raindrop.io, app.snyk.io, app.tavily.com, app.terraform.io, appleid.apple.com, asana.com, attio.com, aws.amazon.com, awslabs.github.io, axiom.co, bfl.ai, bluebubbles.app, brave.com, browser.sentry-cdn.com
Oversized source lightweight scan
payload/dist-server/builtin-mcp-image-gen.js19.6 MB file, sampled 256 KB
FilesystemNetworkEnvironmentVarsHighEntropyStringsUrlStrings100.100.100.200169.254169.254.169.254example.comgetwayland.commetadata.google.internal
payload/dist-server/builtin-mcp-search-skills.js3.53 MB file, sampled 256 KB
FilesystemChildProcessEvalHighEntropyStringsUrlStringsgithub.comraw.githubusercontent.com
payload/dist-server/gemini.js28.1 MB file, sampled 256 KB
FilesystemNetworkChildProcessEnvironmentVarsCryptoShellHighEntropyStringsUrlStringsaistudio.google.comgithub.comgoo.gle
payload/dist-server/server.mjs68.9 MB file, sampled 256 KB
FilesystemNetworkChildProcessEnvironmentVarsShell
payload/out/renderer/assets/index-CcPvB6-4.js3.89 MB file, sampled 256 KB
NetworkChildProcessHighEntropyStringsMinified

Source & flagged code

26 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.mjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.mjs
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
payload/out/renderer/assets/index-CPqvQHaG.jsView file
10patternName = generic_password severity = medium line = 10 matchedText = Reason: ...ion.
Medium
Secret Pattern

Package contains a possible secret pattern.

payload/out/renderer/assets/index-CPqvQHaG.jsView on unpkg · L10
bin/wayland.mjsView file
15*/ L16: import { spawn, spawnSync } from 'node:child_process'; L17: import { existsSync, mkdirSync, readFileSync, writeFileSync } from 'node:fs';
High
Child Process

Package source references child process execution.

bin/wayland.mjsView on unpkg · L15
111function has(cmd) { L112: return spawnSync(process.platform === 'win32' ? 'where' : 'which', [cmd], { stdio: 'ignore' }).status === 0; L113: } ... L120: /** Resolve the bun executable: PATH first, then ~/.bun/bin. Relying on `which L121: * bun` alone made `wayland setup` report "bun install failed" right after a L122: * clean install, and the systemd service die with "bun runtime not found",
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

bin/wayland.mjsView on unpkg · L111
12* an OpenAI-compatible endpoint, so a Flux key is wired as the OpenAI provider L13: * pointed at https://api.fluxrouter.ai/v1 with model flux-auto - no wcore binary L14: * required. (wcore, if present, is fetched by postinstall as an enhancement.) L15: */ L16: import { spawn, spawnSync } from 'node:child_process'; L17: import { existsSync, mkdirSync, readFileSync, writeFileSync } from 'node:fs'; ... L25: const SERVER = join(PAYLOAD, 'dist-server', 'server.mjs'); L26: const DATA_DIR = process.env.DATA_DIR || join(homedir(), '.wayland-server'); L27: const ENV_FILE = join(DATA_DIR, 'wayland.env'); ... L47: if (!_rl) { L48: _rl = createInterface({ input: process.stdin, output: process.stdout }); L49: _rl.on('close', () => { _stdinEnded = true; });
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

bin/wayland.mjsView on unpkg · L12
payload/out/renderer/assets/vendor-highlight-DYD54Gmn.jsView file
8`?F.useBR?"<br>":w:F.tabReplace?w.replace(/\t/g,F.tabReplace):w):h}function vi(h,w,Q){const oe=w?M[w]:Q;h.classList.add("hljs"),oe&&h.classList.add(oe)}const Ii={"before:highlightE... L9: `))},"after:highlightElement":({result:h})=>{F.useBR&&(h.value=h.value.replace(/\n/g,"<br>"))}},Ai=/^(<[^>]+>|\t)+/gm,yi={"after:highlightElement":({result:h})=>{F.tabReplace&&(h.v... L10: ]`,`[\\[\\]\\.,\\+\\-<> \r
High
Shell

Package source references shell execution.

payload/out/renderer/assets/vendor-highlight-DYD54Gmn.jsView on unpkg · L8
payload/out/renderer/assets/whisperWorker-yk8fSaV0.jsView file
6${F} L7: }`,m=new Function(Object.keys(P),F)(...Object.values(P)),F=`methodCaller<(${b.map(V=>V.name)}) => ${g.name}>`,TI(Object.defineProperty(m,"name",{value:F}))}function PI(u,f){return ... L8: `),r)}p.validationMode&&_r(o,"validationMode",p.validationMode,r)}let _=Se().webgpuRegisterDevice(h);if(_){let[p,w,v]=_;_r(o,"deviceId",p.toString(),r),_r(o,"webgpuInstance",w.toSt...
Low
Eval

Package source references a known benign dynamic code generation pattern.

payload/out/renderer/assets/whisperWorker-yk8fSaV0.jsView on unpkg · L6
payload/dist-server/builtin-mcp-concierge-diag.jsView file
1224// validation function arguments L1225: data: new codegen_1.Name("data"), L1226: // data passed to validation function ... L2251: id = normalizeId(id); L2252: return resolver.resolve(baseId, id); L2253: } ... L3114: for (i = 0; i < input.length; i++) { L3115: code = input[i].charCodeAt(0); L3116: if (code === 48) { ... L26646: var StdioServerTransport = class { L26647: constructor(_stdin = import_node_process.default.stdin, _stdout = import_node_process.default.stdout) { L26648: this._stdin = _stdin;
High
Cloud Metadata Access

Source reaches cloud instance metadata or link-local credential endpoints.

payload/dist-server/builtin-mcp-concierge-diag.jsView on unpkg · L1224
6var __hasOwnProp = Object.prototype.hasOwnProperty; L7: var __commonJS = (cb, mod) => function __require() { L8: return mod || (0, cb[__getOwnPropNames(cb)[0]])((mod = { exports: {} }).exports, mod), mod.exports;
Medium
Dynamic Require

Package source references dynamic require/import behavior.

payload/dist-server/builtin-mcp-concierge-diag.jsView on unpkg · L6
payload/dist-server/wasm/tree-sitter.wasmView file
path = payload/dist-server/wasm/tree-sitter.wasm kind = wasm_module sizeBytes = 205488 magicHex = [redacted]
Medium
Ships Wasm Module

Package ships WebAssembly modules.

payload/dist-server/wasm/tree-sitter.wasmView on unpkg
payload/dist-server/skills/_builtin/skill-creator/scripts/init_skill.pyView file
path = payload/dist-server/skills/_builtin/skill-creator/scripts/init_skill.py kind = build_helper sizeBytes = 10863 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

payload/dist-server/skills/_builtin/skill-creator/scripts/init_skill.pyView on unpkg
payload/dist-server/skills/morph-ppt/reference/styles/warm--brand-refresh/warm__brand_refresh.pptxView file
path = payload/dist-server/skills/morph-ppt/reference/styles/warm--brand-refresh/warm__brand_refresh.pptx kind = high_entropy_blob sizeBytes = 13928 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

payload/dist-server/skills/morph-ppt/reference/styles/warm--brand-refresh/warm__brand_refresh.pptxView on unpkg
path = payload/dist-server/skills/morph-ppt/reference/styles/warm--brand-refresh/warm__brand_refresh.pptx kind = compressed_blob sizeBytes = 13928 magicHex = [redacted]
Medium
Ships Compressed Blob

Package ships compressed or archive-like blobs.

payload/dist-server/skills/morph-ppt/reference/styles/warm--brand-refresh/warm__brand_refresh.pptxView on unpkg
path = payload/dist-server/skills/morph-ppt/reference/styles/warm--brand-refresh/warm__brand_refresh.pptx kind = nested_archive_needs_inspection sizeBytes = 13928 magicHex = [redacted]
Low
Nested Archive Needs Inspection

Package ships a nested archive or MCP bundle that was inventoried but not recursively analyzed.

payload/dist-server/skills/morph-ppt/reference/styles/warm--brand-refresh/warm__brand_refresh.pptxView on unpkg
payload/dist-server/gemini.jsView file
path = payload/dist-server/gemini.js kind = oversized_source_file sizeBytes = 29459435 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

payload/dist-server/gemini.jsView on unpkg
payload/src/process/resources/skills-library/bodies/skills/security/security-auditor/SKILL.mdView file
107patternName = generic_password severity = medium line = 107 matchedText = query = ...d}'"
Medium
Secret Pattern

Hardcoded password in payload/src/process/resources/skills-library/bodies/skills/security/security-auditor/SKILL.md

payload/src/process/resources/skills-library/bodies/skills/security/security-auditor/SKILL.mdView on unpkg · L107
payload/src/process/resources/skills-library/bodies/skills/security/application-secrets-security/SKILL.mdView file
94patternName = generic_password severity = medium line = 94 matchedText = password... USE
Medium
Secret Pattern

Hardcoded password in payload/src/process/resources/skills-library/bodies/skills/security/application-secrets-security/SKILL.md

payload/src/process/resources/skills-library/bodies/skills/security/application-secrets-security/SKILL.mdView on unpkg · L94
payload/src/process/resources/skills-library/bodies/skills/backend-systems/supabase-builder/SKILL.mdView file
328patternName = generic_password severity = medium line = 328 matchedText = password...rd',
Medium
Secret Pattern

Hardcoded password in payload/src/process/resources/skills-library/bodies/skills/backend-systems/supabase-builder/SKILL.md

payload/src/process/resources/skills-library/bodies/skills/backend-systems/supabase-builder/SKILL.mdView on unpkg · L328
payload/src/process/resources/skills-library/bodies/skills/testing-quality/load-tester/SKILL.mdView file
167patternName = generic_password severity = medium line = 167 matchedText = password...rd',
Medium
Secret Pattern

Hardcoded password in payload/src/process/resources/skills-library/bodies/skills/testing-quality/load-tester/SKILL.md

payload/src/process/resources/skills-library/bodies/skills/testing-quality/load-tester/SKILL.mdView on unpkg · L167
payload/src/process/resources/skills-library/bodies/skills/data-engineering/data-catalog-builder/SKILL.mdView file
64patternName = generic_password severity = medium line = 64 matchedText = password...RD}"
Medium
Secret Pattern

Hardcoded password in payload/src/process/resources/skills-library/bodies/skills/data-engineering/data-catalog-builder/SKILL.md

payload/src/process/resources/skills-library/bodies/skills/data-engineering/data-catalog-builder/SKILL.mdView on unpkg · L64
payload/src/process/resources/skills-library/bodies/skills/hobbies-crafts/electronics-hobbyist/SKILL.mdView file
150patternName = generic_password severity = medium line = 150 matchedText = const ch...rd";
Medium
Secret Pattern

Hardcoded password in payload/src/process/resources/skills-library/bodies/skills/hobbies-crafts/electronics-hobbyist/SKILL.md

payload/src/process/resources/skills-library/bodies/skills/hobbies-crafts/electronics-hobbyist/SKILL.mdView on unpkg · L150
payload/src/process/resources/skills-library/bodies/skills/devops-cloud/secrets-manager/SKILL.mdView file
78patternName = generic_password severity = medium line = 78 matchedText = password...THIS
Medium
Secret Pattern

Hardcoded password in payload/src/process/resources/skills-library/bodies/skills/devops-cloud/secrets-manager/SKILL.md

payload/src/process/resources/skills-library/bodies/skills/devops-cloud/secrets-manager/SKILL.mdView on unpkg · L78
108patternName = generic_password severity = medium line = 108 matchedText = password...THIS
Medium
Secret Pattern

Hardcoded password in payload/src/process/resources/skills-library/bodies/skills/devops-cloud/secrets-manager/SKILL.md

payload/src/process/resources/skills-library/bodies/skills/devops-cloud/secrets-manager/SKILL.mdView on unpkg · L108
payload/src/process/resources/skills-library/bodies/skills/devops-cloud/env-file-manager/SKILL.mdView file
76patternName = private_key_rsa severity = critical line = 76 matchedText = PRIVATE_...----
Critical
Secret Pattern

RSA private key in payload/src/process/resources/skills-library/bodies/skills/devops-cloud/env-file-manager/SKILL.md

payload/src/process/resources/skills-library/bodies/skills/devops-cloud/env-file-manager/SKILL.mdView on unpkg · L76
payload/src/process/resources/skills-library/bodies/skills/writing/technical-blog-post/SKILL.mdView file
290patternName = generic_password severity = medium line = 290 matchedText = When the...ext.
Medium
Secret Pattern

Hardcoded password in payload/src/process/resources/skills-library/bodies/skills/writing/technical-blog-post/SKILL.md

payload/src/process/resources/skills-library/bodies/skills/writing/technical-blog-post/SKILL.mdView on unpkg · L290

Findings

1 Critical7 High19 Medium9 Low
CriticalSecret Patternpayload/src/process/resources/skills-library/bodies/skills/devops-cloud/env-file-manager/SKILL.md
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processbin/wayland.mjs
HighShellpayload/out/renderer/assets/vendor-highlight-DYD54Gmn.js
HighCloud Metadata Accesspayload/dist-server/builtin-mcp-concierge-diag.js
HighRuntime Package Installbin/wayland.mjs
HighShips High Entropy Blobpayload/dist-server/skills/morph-ppt/reference/styles/warm--brand-refresh/warm__brand_refresh.pptx
HighOversized Source Filepayload/dist-server/gemini.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumSecret Patternpayload/out/renderer/assets/index-CPqvQHaG.js
MediumDynamic Requirepayload/dist-server/builtin-mcp-concierge-diag.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencebin/wayland.mjs
MediumShips Wasm Modulepayload/dist-server/wasm/tree-sitter.wasm
MediumShips Build Helperpayload/dist-server/skills/_builtin/skill-creator/scripts/init_skill.py
MediumShips Compressed Blobpayload/dist-server/skills/morph-ppt/reference/styles/warm--brand-refresh/warm__brand_refresh.pptx
MediumStructural Risk Force Deep Review
MediumSecret Patternpayload/src/process/resources/skills-library/bodies/skills/security/security-auditor/SKILL.md
MediumSecret Patternpayload/src/process/resources/skills-library/bodies/skills/security/application-secrets-security/SKILL.md
MediumSecret Patternpayload/src/process/resources/skills-library/bodies/skills/backend-systems/supabase-builder/SKILL.md
MediumSecret Patternpayload/src/process/resources/skills-library/bodies/skills/testing-quality/load-tester/SKILL.md
MediumSecret Patternpayload/src/process/resources/skills-library/bodies/skills/data-engineering/data-catalog-builder/SKILL.md
MediumSecret Patternpayload/src/process/resources/skills-library/bodies/skills/hobbies-crafts/electronics-hobbyist/SKILL.md
MediumSecret Patternpayload/src/process/resources/skills-library/bodies/skills/devops-cloud/secrets-manager/SKILL.md
MediumSecret Patternpayload/src/process/resources/skills-library/bodies/skills/devops-cloud/secrets-manager/SKILL.md
MediumSecret Patternpayload/src/process/resources/skills-library/bodies/skills/writing/technical-blog-post/SKILL.md
LowScripts Present
LowEvalpayload/out/renderer/assets/whisperWorker-yk8fSaV0.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings
LowNested Archive Needs Inspectionpayload/dist-server/skills/morph-ppt/reference/styles/warm--brand-refresh/warm__brand_refresh.pptx
LowCopyleft License