registry  /  hyacinth-ai  /  0.9.7

hyacinth-ai@0.9.7

Hyacinth 🪻 — multi-provider AI agent with tool system and context management

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 13 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 326 file(s), 2.14 MB of source, external domains: 127.0.0.1, aistudio.google.com, api.anthropic.com, api.deepseek.com, api.github.com, api.groq.com, api.minimaxi.com, api.mistral.ai, api.moonshot.cn, api.openai.com, api.x.ai, api.xiaomimimo.com, console.anthropic.com, console.groq.com, console.mistral.ai, console.x.ai, dashscope.aliyuncs.com, generativelanguage.googleapis.com, github.com, huggingface.co, ilinkai.weixin.qq.com, open.bigmodel.cn, open.feishu.cn, openrouter.ai, platform.deepseek.com, platform.moonshot.cn, platform.openai.com

Source & flagged code

6 flagged · loading source
dist/tools/bash.jsView file
1import { spawn, execSync } from 'node:child_process'; L2: import fs from 'node:fs';
High
Child Process

Package source references child process execution.

dist/tools/bash.jsView on unpkg · L1
13/** 词边界正则黑名单 — 匹配独立危险命令。 L14: * (?!-) 确保 format 不误杀 PowerShell 的 Format-List/Format-Table/Format-Hex 等 cmdlet */ L15: const BLOCKED_COMMAND_REGEX = [
High
Shell

Package source references shell execution.

dist/tools/bash.jsView on unpkg · L13
dist/plugins/loader.jsView file
76// pathToFileURL handles Windows drive letters (C:\) correctly L77: const { pathToFileURL } = await import('node:url'); L78: const url = pathToFileURL(entryPath).href;
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/plugins/loader.jsView on unpkg · L76
dist/tools/xref/ts-parser.jsView file
1/** L2: * TypeScript/JavaScript AST 解析器。
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/tools/xref/ts-parser.jsView on unpkg · L1
dist/update/install.jsView file
26onStatus('依赖有变化,重装中...'); L27: execSync('pnpm install --prod --no-frozen-lockfile', { cwd: installDir, stdio: 'inherit' }); L28: }
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/update/install.jsView on unpkg · L26
start-webui.shView file
path = start-webui.sh kind = build_helper sizeBytes = 826 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

start-webui.shView on unpkg

Findings

3 High5 Medium5 Low
HighChild Processdist/tools/bash.js
HighShelldist/tools/bash.js
HighRuntime Package Installdist/update/install.js
MediumDynamic Requiredist/plugins/loader.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperstart-webui.sh
MediumStructural Risk Force Deep Review
LowScripts Present
LowWeak Cryptodist/tools/xref/ts-parser.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings