registry  /  helixcoder  /  0.1.0

helixcoder@0.1.0

Helix: a free, headless AI software-engineering agent and CLI. Runs a grounded loop (gather, act, verify, iterate) with permission-gated tools, snapshots, a per-task cost meter, and an eval harness. BYOK, provider-agnostic (Anthropic, Gemini, OpenAI-compa

Static Scan Results

scanned 3h ago · by rust-scanner

Static analysis flagged 12 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsEvalFilesystemShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 621 KB of source, external domains: api.cerebras.ai, api.groq.com, api.openai.com, console.groq.com, generativelanguage.googleapis.com, helix.dev, json-schema.org, openrouter.ai

Source & flagged code

3 flagged · loading source
dist/bin.jsView file
2404// ../engine/dist/command-verifier.js L2405: import { spawn } from "node:child_process"; L2406: import { StringDecoder } from "node:string_decoder";
High
Child Process

Package source references child process execution.

dist/bin.jsView on unpkg · L2404
2059const fetchImpl = opts.fetchImpl ?? fetch; L2060: const baseURL = (opts.baseURL ?? env.OPENAI_BASE_URL ?? DEFAULT_OPENAI_BASE_URL).replace(/\/+$/, ""); L2061: let parsedScheme; ... L2404: // ../engine/dist/command-verifier.js L2405: import { spawn } from "node:child_process"; L2406: import { StringDecoder } from "node:string_decoder"; ... L2841: const mk = async (wasm) => { L2842: const lang = await Parser.Language.load(readFileSync(vendorWasm(wasm))); L2843: const p = new Parser();
High
Remote Agent Bridge

Source exposes local file and command tools to a remote model endpoint.

dist/bin.jsView on unpkg · L2059
vendor/tree-sitter/tree-sitter.wasmView file
path = vendor/tree-sitter/tree-sitter.wasm kind = wasm_module sizeBytes = 188635 magicHex = [redacted]
Medium
Ships Wasm Module

Package ships WebAssembly modules.

vendor/tree-sitter/tree-sitter.wasmView on unpkg

Findings

3 High3 Medium6 Low
HighChild Processdist/bin.js
HighShell
HighRemote Agent Bridgedist/bin.js
MediumEnvironment Vars
MediumShips Wasm Modulevendor/tree-sitter/tree-sitter.wasm
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEval
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings