registry  /  hoomanjs  /  1.37.3

hoomanjs@1.37.3

Hackable AI agent toolkit for building local CLI, ACP, MCP, and channel-driven workflows.

Static Scan Results

scanned 3d ago · by rust-scanner

Static analysis flagged 9 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 174 file(s), 707 KB of source, external domains: 127.0.0.1, api.anthropic.com, api.example.com, api.groq.com, api.minimax.io, api.moonshot.ai, api.openai.com, api.search.brave.com, api.x.ai, auth.example.com, example.com, github.com, google.serper.dev, openrouter.ai, skills.sh, your-resource-name.openai.azure.com

Source & flagged code

2 flagged · loading source
dist/core/utils/hashing.jsView file
1import crypto from "node:crypto"; L2: export function md5(input) {
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/core/utils/hashing.jsView on unpkg · L1
dist/core/skills/registry.jsView file
1import { execFile } from "node:child_process"; L2: import { promisify } from "node:util"; ... L10: const SKILLS_AGENT = "openclaw"; L11: const SKILLS_API_URL = "https://skills.sh"; L12: const NPX_BIN = process.platform === "win32" ? "npx.cmd" : "npx"; L13: const ANSI_RE = /\x1b\[[0-9;]*m/g; ... L22: timeout, L23: env: { ...process.env, NO_COLOR: "1", FORCE_COLOR: "0" }, L24: }); ... L35: async list() { L36: let stdout; L37: try {
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/core/skills/registry.jsView on unpkg · L1

Findings

1 High3 Medium5 Low
HighSandbox Evasion Gated Capabilitydist/core/skills/registry.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowWeak Cryptodist/core/utils/hashing.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings