registry  /  loommcp-cli  /  2.0.1

loommcp-cli@2.0.1

Model-independent local runtime for files, terminal, memory, skills, browser control, and remote MCP access.

Static Scan Results

scanned 6h ago · by rust-scanner

Static analysis flagged 9 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 3 file(s), 118 KB of source, external domains: your-tunnel-host.example.com

Source & flagged code

2 flagged · loading source
dist/chunks/chunk-ZHX75MYZ.jsView file
4function expandHomePath(path3) { L5: if (path3 === "~") return homedir(); L6: if (path3.startsWith("~/") || path3.startsWith("~\\")) { ... L22: import { join, resolve as resolve2 } from "node:path"; L23: function loomConfigDir(env = process.env) { L24: return resolve2(expandHomePath(env.LOOM_CONFIG_DIR ?? join(homedir2(), ".loom"))); ... L74: function generateOwnerToken() { L75: return randomBytes(32).toString("base64url"); L76: } ... L210: const localHost = host === "0.0.0.0" || host === "::" ? "127.0.0.1" : host; L211: const localUrl = `http://${localHost.includes(":") ? `[${localHost}]` : localHost}:${port}`; L212: const publicBaseUrl = normalizePublicBaseUrl(env.LOOM_PUBLIC_BASE_URL ?? files.config.publicBaseUrl ?? localUrl);
High
Cloud Metadata Access

Source reaches cloud instance metadata or link-local credential endpoints.

dist/chunks/chunk-ZHX75MYZ.jsView on unpkg · L4
dist/cli.jsView file
matchType = previous_version_dangerous_delta matchedPackage = loommcp-cli@2.0.0 matchedIdentity = npm:bG9vbW1jcC1jbGk:2.0.0 similarity = 0.667 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/cli.jsView on unpkg

Findings

2 High3 Medium4 Low
HighCloud Metadata Accessdist/chunks/chunk-ZHX75MYZ.js
HighPrevious Version Dangerous Deltadist/cli.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings