registry  /  handmux  /  0.12.0

handmux@0.12.0

A mobile vibe-coding cockpit — built on tmux: drive your live session, Claude Code / Codex — anything a terminal can run — from your phone.

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 16 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedObfuscatedTelemetryUrlStrings
Manifest
CopyleftLicense
scanned 55 file(s), 1.18 MB of source, external domains: 127.0.0.1, cpolar.com, dashboard.cpolar.com, github.com, natapp.cn, reactjs.org, www.apple.com, www.cpolar.com, www.w3.org, your.site

Source & flagged code

6 flagged · loading source
src/httpApi.jsView file
33L34: // The installed CLI version (server/package.json) — read once. The phone compares this against the cached L35: // npm "latest" to surface an update hint ("run `handmux update` on your computer"); see the /version route. L36: const PKG_VERSION = (() => { L37: try { return JSON.parse(readFileSync(resolvePath(here, '../package.json'), 'utf8')).version || null; } L38: catch { return null; } ... L79: uploadExts = DEFAULT_UPLOAD_EXTS, maxUploadBytes = MAX_TRANSFER_BYTES, L80: asrEnv = process.env, previews, previewDomain = null, L81: home = homedir(), stateFile = process.env.CLAUDE_STATE_FILE || claudeStatePath(homedir()), L82: } = {}) { ... L91: L92: r.post('/sessions', async (req, res, next) => {
Low
Weak Crypto

Package source references weak cryptographic algorithms.

src/httpApi.jsView on unpkg · L33
src/cli/service.jsView file
2// keeps server + tunnel alive — same model as a foreground run, just parented by launchd/systemd. L3: // The intended config is baked into the service file as a base64 payload (self-contained: no reliance L4: // on config.json). Text generators are pure (unit-tested); the launchctl/systemctl calls inject `exec`. L5: import fs from 'node:fs'; L6: import path from 'node:path'; L7: import { spawnSync } from 'node:child_process'; L8: import { pocketHome, logPath } from './state.js'; ... L56: L57: export function installService(args, { home, platform = process.platform, exec = spawnSync, log = console } = {}) { L58: if (platform === 'darwin') { ... L63: const r = exec('launchctl', ['load', '-w', p], { encoding: 'utf8' }); L64: if (r.status !== 0) throw new Error(`launchctl load failed: ${r.stderr || r.status}`);
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

src/cli/service.jsView on unpkg · L2
src/cli/tunnelClients.jsView file
2// hard way: cpolar publishes stable per-OS/arch zips, so we can AUTO-DOWNLOAD it (PATH → ~/.handmux/bin → L3: // fetch+unzip); natapp gates its downloads behind a login, so there's no stable URL to fetch — we resolve an L4: // already-installed binary and otherwise throw a clear "download it yourself into ~/.handmux/bin" message. ... L7: import path from 'node:path'; L8: import { spawnSync } from 'node:child_process'; L9: import { pocketHome } from './state.js'; ... L15: const CPOLAR_VERSION = '3.3.12'; L16: export function assetForCpolar(platform = process.platform, arch = process.arch) { L17: const a = { x64: 'amd64', arm64: 'arm64', arm: 'arm', ia32: '386' }[arch] || arch; L18: const base = `https://www.cpolar.com/static/downloads/releases/${CPOLAR_VERSION}`; L19: if (platform === 'win32') return { bin: 'cpolar.exe', url: null }; // installer-only → manual ... L43: if (!res.ok) throw new Error(t('client.cpolarManual'));
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

src/cli/tunnelClients.jsView on unpkg · L2
hooks/handmux-notify.shView file
path = hooks/handmux-notify.sh kind = build_helper sizeBytes = 1752 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

hooks/handmux-notify.shView on unpkg
public/fonts/TWUnifont.woff2View file
path = public/fonts/TWUnifont.woff2 kind = high_entropy_blob sizeBytes = 912400 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

public/fonts/TWUnifont.woff2View on unpkg
bin/handmux.jsView file
matchType = previous_version_dangerous_delta matchedPackage = handmux@0.8.0 matchedIdentity = npm:aGFuZG11eA:0.8.0 similarity = 0.780 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

bin/handmux.jsView on unpkg

Findings

3 High5 Medium8 Low
HighSandbox Evasion Gated Capabilitysrc/cli/tunnelClients.js
HighShips High Entropy Blobpublic/fonts/TWUnifont.woff2
HighPrevious Version Dangerous Deltabin/handmux.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencesrc/cli/service.js
MediumShips Build Helperhooks/handmux-notify.sh
MediumStructural Risk Force Deep Review
LowScripts Present
LowWeak Cryptosrc/httpApi.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings
LowCopyleft License