registry  /  handmux  /  0.7.0

handmux@0.7.0

Mobile vibe coding — drive your real tmux session (and Claude Code) from your phone.

Static Scan Results

scanned 7d ago · by rust-scanner

Static analysis completed at 65.0% confidence. No malicious behavior was detected; 14 low-signal pattern(s) were surfaced and cleared.

Static reason
No blocking static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedObfuscatedTelemetryUrlStrings
Manifest
CopyleftLicense
scanned 50 file(s), 1.07 MB of source, external domains: 127.0.0.1, github.com, reactjs.org, www.apple.com, www.w3.org

Source & flagged code

4 flagged · loading source
src/httpApi.jsView file
56uploadExts = DEFAULT_UPLOAD_EXTS, maxUploadBytes = MAX_TRANSFER_BYTES, L57: asrEnv = process.env, previews, previewDomain = null, L58: home = homedir(), stateFile = process.env.CLAUDE_STATE_FILE || claudeStatePath(homedir()), L59: } = {}) { ... L61: r.use(expressAuth(token)); L62: r.use(express.json()); L63: const claudeEvents = events || createClaudeEvents({ commands, push }); ... L68: L69: r.post('/sessions', async (req, res, next) => { L70: const name = typeof req.body?.name === 'string' ? req.body.name.trim() : ''; ... L566: // POST {name,dir} registers a static dir served at /preview/<name>/; POST {name,port} registers a L567: // dynamic reverse-proxy reachable at https://<name>.<DOMAIN>/ (only when previewDomain is set). The
Low
Weak Crypto

Package source references weak cryptographic algorithms.

src/httpApi.jsView on unpkg · L56
src/cli/service.jsView file
2// keeps server + tunnel alive — same model as a foreground run, just parented by launchd/systemd. L3: // The intended config is baked into the service file as a base64 payload (self-contained: no reliance L4: // on config.json). Text generators are pure (unit-tested); the launchctl/systemctl calls inject `exec`. L5: import fs from 'node:fs'; L6: import path from 'node:path'; L7: import { spawnSync } from 'node:child_process'; L8: import { pocketHome, logPath } from './state.js'; ... L56: L57: export function installService(args, { home, platform = process.platform, exec = spawnSync, log = console } = {}) { L58: if (platform === 'darwin') { ... L63: const r = exec('launchctl', ['load', '-w', p], { encoding: 'utf8' }); L64: if (r.status !== 0) throw new Error(`launchctl load failed: ${r.stderr || r.status}`);
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

src/cli/service.jsView on unpkg · L2
hooks/handmux-notify.shView file
path = hooks/handmux-notify.sh kind = build_helper sizeBytes = 1752 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

hooks/handmux-notify.shView on unpkg
public/fonts/TWUnifont.woff2View file
path = public/fonts/TWUnifont.woff2 kind = high_entropy_blob sizeBytes = 912400 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

public/fonts/TWUnifont.woff2View on unpkg

Findings

1 High5 Medium8 Low
HighShips High Entropy Blobpublic/fonts/TWUnifont.woff2
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencesrc/cli/service.js
MediumShips Build Helperhooks/handmux-notify.sh
MediumStructural Risk Force Deep Review
LowScripts Present
LowWeak Cryptosrc/httpApi.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings
LowCopyleft License