registry  /  loki-mode  /  7.110.0

loki-mode@7.110.0

Loki Mode by Autonomi. Autonomous spec-to-product system: takes a PRD, GitHub issue, OpenAPI/JSON/YAML, or one-line brief to a deployed app via the RARV-C closure loop with 8 quality gates. Provider-agnostic (Claude Code, OpenAI Codex, Cline, Aider).

Static Scan Results

scanned 7d ago · by rust-scanner

Static analysis flagged 20 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkWebSocket
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 160 file(s), 2.45 MB of source, external domains: 127.0.0.1, adaptivecards.io, api.github.com, api.honeycomb.io, api.linear.app, api.npmjs.org, app.netlify.com, cdn.jsdelivr.net, cli.github.com, deno.land, discord.gg, github.com, hooks.slack.com, my-app.vercel.app, react.dev, registry.npmjs.org, twitter.com, vercel.com, www.autonomi.dev, www.w3.org
Oversized source lightweight scan
dashboard/static/assets/mermaid.min.js3.18 MB file, sampled 256 KB
NetworkChildProcessHighEntropyStringsMinifiedUrlStringswww.w3.org

Source & flagged code

11 flagged · loading source
references/invariant-checks.mdView file
56patternName = aws_access_key severity = critical line = 56 matchedText = document...re`.
Critical
Critical Secret

Package contains a critical-looking secret pattern.

references/invariant-checks.mdView on unpkg · L56
56patternName = aws_access_key severity = critical line = 56 matchedText = document...re`.
Critical
Secret Pattern

AWS access key ID in references/invariant-checks.md

references/invariant-checks.mdView on unpkg · L56
loki-ts/dist/loki.jsView file
334`)}function B0($){let Q=!1,Z=!1;for(let K of $)if(K==="--json")Q=!0;else if(K==="--efficiency")Z=!0;let z=P();if(!V1(z)){if(Q)return{exitCode:0,stdout:'{"error": "No active session... L335: Start a session with: loki start <prd>`}}let X=M3(z);return{exitCode:0,stdout:Q?T3(X,Z):O3(X,Z)}}async function A3($){let{emitDeprecatedAlias:Q}=await Promise.resolve().then(() => ... L336: `);if(G>0&&N.length>0)N=N.slice(1);N=N.map((g)=>g.trim()).filter((g)=>g.length>0),U=N.slice(-5)}}catch{U=[]}return{errors_log_path:H?V:null,recent_errors:U,recent_error_count:U.len...
High
Child Process

Package source references child process execution.

loki-ts/dist/loki.jsView on unpkg · L334
334`)}function B0($){let Q=!1,Z=!1;for(let K of $)if(K==="--json")Q=!0;else if(K==="--efficiency")Z=!0;let z=P();if(!V1(z)){if(Q)return{exitCode:0,stdout:'{"error": "No active session... L335: Start a session with: loki start <prd>`}}let X=M3(z);return{exitCode:0,stdout:Q?T3(X,Z):O3(X,Z)}}async function A3($){let{emitDeprecatedAlias:Q}=await Promise.resolve().then(() => ... L336: `);if(G>0&&N.length>0)N=N.slice(1);N=N.map((g)=>g.trim()).filter((g)=>g.length>0),U=N.slice(-5)}}catch{U=[]}return{errors_log_path:H?V:null,recent_errors:U,recent_error_count:U.len...
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

loki-ts/dist/loki.jsView on unpkg · L334
331print(json.dumps(result, indent=2)) L332: `;var V0=L(()=>{d();V$();c();C()});var U0={};b(U0,{emitDeprecatedAlias:()=>X1,deprecatedAliasShouldSuppress:()=>W0});function W0($){let Q=$[0];if(Q!==void 0&&G3.has(Q))return!0;for... L333: `)}var H3,G3;var K1=L(()=>{H3=new Set(["--json","-q","--quiet"]),G3=new Set(["json","csv","timeline"])});var Y0={};b(Y0,{runStats:()=>A3,computeStats:()=>B0});import{readdirSync as... L334: `)}function B0($){let Q=!1,Z=!1;for(let K of $)if(K==="--json")Q=!0;else if(K==="--efficiency")Z=!0;let z=P();if(!V1(z)){if(Q)return{exitCode:0,stdout:'{"error": "No active session... L335: Start a session with: loki start <prd>`}}let X=M3(z);return{exitCode:0,stdout:Q?T3(X,Z):O3(X,Z)}}async function A3($){let{emitDeprecatedAlias:Q}=await Promise.resolve().then(() => ... L336: `);if(G>0&&N.length>0)N=N.slice(1);N=N.map((g)=>g.trim()).filter((g)=>g.length>0),U=N.slice(-5)}}catch{U=[]}return{errors_log_path:H?V:null,recent_errors:U,recent_error_count:U.len...
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

loki-ts/dist/loki.jsView on unpkg · L331
bin/loki-mode.jsView file
12L13: const { spawn } = require('child_process'); L14: const path = require('path');
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/loki-mode.jsView on unpkg · L12
web-app/auth.pyView file
path = web-app/auth.py kind = build_helper sizeBytes = 9098 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

web-app/auth.pyView on unpkg
memory/tests/test_namespace.pyView file
path = memory/tests/test_namespace.py kind = payload_in_excluded_dir sizeBytes = 18946 magicHex = [redacted]
High
Payload In Excluded Dir

Package hides binary, compressed, or executable-looking payloads in test/fixture/hidden paths.

memory/tests/test_namespace.pyView on unpkg
dashboard/static/assets/mermaid.min.jsView file
path = dashboard/static/assets/mermaid.min.js kind = oversized_source_file sizeBytes = 3336946 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dashboard/static/assets/mermaid.min.jsView on unpkg
docs/siem-integration.mdView file
262patternName = generic_password severity = medium line = 262 matchedText = password...RD}"
Medium
Secret Pattern

Hardcoded password in docs/siem-integration.md

docs/siem-integration.mdView on unpkg · L262
autonomy/lib/secure-scan.pyView file
138patternName = aws_access_key severity = critical line = 138 matchedText = all-same...."""
Critical
Secret Pattern

AWS access key ID in autonomy/lib/secure-scan.py

autonomy/lib/secure-scan.pyView on unpkg · L138

Findings

3 Critical5 High6 Medium6 Low
CriticalCritical Secretreferences/invariant-checks.md
CriticalSecret Patternreferences/invariant-checks.md
CriticalSecret Patternautonomy/lib/secure-scan.py
HighChild Processloki-ts/dist/loki.js
HighSame File Env Network Executionloki-ts/dist/loki.js
HighCommand Output Exfiltrationloki-ts/dist/loki.js
HighPayload In Excluded Dirmemory/tests/test_namespace.py
HighOversized Source Filedashboard/static/assets/mermaid.min.js
MediumDynamic Requirebin/loki-mode.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperweb-app/auth.py
MediumStructural Risk Force Deep Review
MediumSecret Patterndocs/siem-integration.md
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings