registry  /  hoomanjs  /  1.58.0

hoomanjs@1.58.0

Full-stack open-source agentic ecosystem — local-first CLI, VS Code, ACP, daemon channels, and Design mode. BYOK, custom inference endpoints, llama.cpp & MLX.

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 14 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 242 file(s), 1.17 MB of source, external domains: 127.0.0.1, api.anthropic.com, api.exa.ai, api.example.com, api.firecrawl.dev, api.groq.com, api.minimax.io, api.moonshot.ai, api.openai.com, api.search.brave.com, api.tavily.com, api.x.ai, auth.example.com, example.com, generativelanguage.googleapis.com, github.com, google.serper.dev, html.duckduckgo.com, models.dev, openrouter.ai, skills.sh, vaibhavpandey.com, your-resource-name.openai.azure.com, your-resource.openai.azure.com

Source & flagged code

6 flagged · loading source
dist/core/shell/manager.jsView file
194async output(jobId, opts) { L195: const job = this.#require(jobId); L196: await this.#syncHostOutput(job);
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/core/shell/manager.jsView on unpkg · L194
dist/core/utils/fig-archive.jsView file
52len.writeUInt32BE(data.length, 0); L53: const t = Buffer.from(type, "ascii"); L54: const crc = Buffer.alloc(4);
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/core/utils/fig-archive.jsView on unpkg · L52
dist/core/skills/registry.jsView file
1import { execFile } from "node:child_process"; L2: import { promisify } from "node:util"; ... L10: const SKILLS_AGENT = "openclaw"; L11: const SKILLS_API_URL = "https://skills.sh"; L12: const NPX_BIN = process.platform === "win32" ? "npx.cmd" : "npx"; L13: const ANSI_RE = /\x1b\[[0-9;]*m/g; ... L22: timeout, L23: env: { ...process.env, NO_COLOR: "1", FORCE_COLOR: "0" }, L24: }); ... L35: async list() { L36: let stdout; L37: try {
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/core/skills/registry.jsView on unpkg · L1
dist/core/utils/seeds/empty-slides.deckView file
path = dist/core/utils/seeds/empty-slides.deck kind = high_entropy_blob sizeBytes = 50633 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

dist/core/utils/seeds/empty-slides.deckView on unpkg
path = dist/core/utils/seeds/empty-slides.deck kind = compressed_blob sizeBytes = 50633 magicHex = [redacted]
Medium
Ships Compressed Blob

Package ships compressed or archive-like blobs.

dist/core/utils/seeds/empty-slides.deckView on unpkg
path = dist/core/utils/seeds/empty-slides.deck kind = nested_archive_needs_inspection sizeBytes = 50633 magicHex = [redacted]
Low
Nested Archive Needs Inspection

Package ships a nested archive or MCP bundle that was inventoried but not recursively analyzed.

dist/core/utils/seeds/empty-slides.deckView on unpkg

Findings

2 High5 Medium7 Low
HighSandbox Evasion Gated Capabilitydist/core/skills/registry.js
HighShips High Entropy Blobdist/core/utils/seeds/empty-slides.deck
MediumDynamic Requiredist/core/shell/manager.js
MediumNetwork
MediumEnvironment Vars
MediumShips Compressed Blobdist/core/utils/seeds/empty-slides.deck
MediumStructural Risk Force Deep Review
LowScripts Present
LowWeak Cryptodist/core/utils/fig-archive.js
LowFilesystem
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings
LowNested Archive Needs Inspectiondist/core/utils/seeds/empty-slides.deck