registry  /  hoomanjs  /  1.41.0

hoomanjs@1.41.0

Hackable AI agent toolkit for building local CLI, ACP, MCP, and channel-driven workflows.

Static Scan Results

scanned 22h ago · by rust-scanner

Static analysis flagged 10 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 184 file(s), 799 KB of source, external domains: 127.0.0.1, api.anthropic.com, api.example.com, api.groq.com, api.minimax.io, api.moonshot.ai, api.openai.com, api.search.brave.com, api.x.ai, auth.example.com, example.com, github.com, google.serper.dev, models.dev, openrouter.ai, skills.sh, vaibhavpandey.com, your-resource-name.openai.azure.com

Source & flagged code

3 flagged · loading source
dist/core/utils/hashing.jsView file
1import crypto from "node:crypto"; L2: export function md5(input) {
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/core/utils/hashing.jsView on unpkg · L1
dist/core/skills/registry.jsView file
1import { execFile } from "node:child_process"; L2: import { promisify } from "node:util"; ... L10: const SKILLS_AGENT = "openclaw"; L11: const SKILLS_API_URL = "https://skills.sh"; L12: const NPX_BIN = process.platform === "win32" ? "npx.cmd" : "npx"; L13: const ANSI_RE = /\x1b\[[0-9;]*m/g; ... L22: timeout, L23: env: { ...process.env, NO_COLOR: "1", FORCE_COLOR: "0" }, L24: }); ... L35: async list() { L36: let stdout; L37: try {
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/core/skills/registry.jsView on unpkg · L1
dist/cli.jsView file
matchType = previous_version_dangerous_delta matchedPackage = hoomanjs@1.41.1 matchedIdentity = npm:aG9vbWFuanM:1.41.1 similarity = 0.933 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/cli.jsView on unpkg

Findings

2 High3 Medium5 Low
HighSandbox Evasion Gated Capabilitydist/core/skills/registry.js
HighPrevious Version Dangerous Deltadist/cli.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowWeak Cryptodist/core/utils/hashing.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings