registry  /  jeo-code  /  0.8.11

jeo-code@0.8.11

Clean, highly optimized AI coding agent using spec-first loop

Static Scan Results

scanned 3h ago · by rust-scanner

Static analysis flagged 11 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 221 file(s), 2.23 MB of source, external domains: accounts.google.com, api.anthropic.com, api.cerebras.ai, api.deepseek.com, api.fireworks.ai, api.groq.com, api.kimi.com, api.minimax.io, api.minimaxi.com, api.mistral.ai, api.moonshot.ai, api.openai.com, api.synthetic.new, api.telegram.org, api.together.xyz, api.venice.ai, api.x.ai, api.xiaomimimo.com, api.z.ai, auth.kimi.com, auth.openai.com, chatgpt.com, claude.ai, cloudcode-pa.googleapis.com, coding-intl.dashscope.aliyuncs.com, core.telegram.org, daily-cloudcode-pa.googleapis.com, daily-cloudcode-pa.sandbox.googleapis.com, duckduckgo.com, generativelanguage.googleapis.com, goo.gle, html.duckduckgo.com, integrate.api.nvidia.com, lite.duckduckgo.com, nano-gpt.com, oauth2.googleapis.com, openrouter.ai, portal.qwen.ai, qianfan.baidubce.com, registry.npmjs.org, router.huggingface.co, token-plan-ams.xiaomimimo.com, token-plan-cn.xiaomimimo.com, token-plan-sgp.xiaomimimo.com, tokenhub-intl.tencentcloudmaas.com, www.comet.com, www.googleapis.com, zenmux.ai

Source & flagged code

3 flagged · loading source
src/auth/oauth.tsView file
15label: "Anthropic Console (Claude)", L16: authorizeUrl: "https://claude.ai/oauth/authorize", L17: instructions: [ ... L60: const cmd = L61: process.platform === "darwin" ? ["open", url] : L62: process.platform === "win32" ? ["cmd", "/c", "start", "", url] : L63: ["xdg-open", url]; L64: const proc = Bun.spawn(cmd, { stdout: "ignore", stderr: "ignore" }); L65: await proc.exited;
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

src/auth/oauth.tsView on unpkg · L15
scripts/uninstall.shView file
path = scripts/uninstall.sh kind = build_helper sizeBytes = 1050 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

scripts/uninstall.shView on unpkg
src/commands/launch.tsView file
matchType = previous_version_dangerous_delta matchedPackage = jeo-code@0.8.9 matchedIdentity = npm:amVvLWNvZGU:0.8.9 similarity = 0.933 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

src/commands/launch.tsView on unpkg

Findings

2 High4 Medium5 Low
HighSandbox Evasion Gated Capabilitysrc/auth/oauth.ts
HighPrevious Version Dangerous Deltasrc/commands/launch.ts
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperscripts/uninstall.sh
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings