registry  /  memory-recall  /  1.0.5

memory-recall@1.0.5

Local-first repo memory and context for coding agents.

Static Scan Results

scanned 6d ago · by rust-scanner

Static analysis flagged 26 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 169 file(s), 3.47 MB of source, external domains: 127.0.0.1, 192.0.2.10, api.openai.com, bad.example, collector.example.test, evil.test, example.com, example.invalid, example.test, github.com, openagentfabric.dev, provider.example, www.npmjs.com

Source & flagged code

19 flagged · loading source
scripts/native-smoke.mjsView file
53patternName = generic_password severity = medium line = 53 matchedText = password...le',
Medium
Secret Pattern

Package contains a possible secret pattern.

scripts/native-smoke.mjsView on unpkg · L53
57patternName = generic_password severity = medium line = 57 matchedText = const ve... });
Medium
Secret Pattern

Hardcoded password in scripts/native-smoke.mjs

scripts/native-smoke.mjsView on unpkg · L57
tests/context-recall-eval.test.mjsView file
2import assert from 'node:assert/strict'; L3: import { spawnSync } from 'node:child_process'; L4: import { mkdirSync, mkdtempSync, writeFileSync } from 'node:fs';
High
Child Process

Package source references child process execution.

tests/context-recall-eval.test.mjsView on unpkg · L2
tests/release-readiness.test.mjsView file
148const hookCommand = hookSnippet.hooks.SessionStart[0].hooks[0].command; L149: const hookRun = spawnSync(hookCommand, { cwd: work, shell: true, encoding: 'utf8', env }); L150: assert.equal(hookRun.status, 0, hookRun.stderr);
High
Shell

Package source references shell execution.

tests/release-readiness.test.mjsView on unpkg · L148
providers/native/context-candidate-ast-code/src/index.mjsView file
1420const imports = []; L1421: for (const match of String(body ?? '').matchAll(/^\s*import(?!\s*['"])(?:\s+type)?\s+([\s\S]*?)\s+from\s+['"]([^'"]+)['"]/gmu)) { L1422: const rawModule = match[2];
Medium
Dynamic Require

Package source references dynamic require/import behavior.

providers/native/context-candidate-ast-code/src/index.mjsView on unpkg · L1420
tests/control-api.test.mjsView file
177const port = 46000 + Math.floor(Math.random() * 1000); L178: base = `http://127.0.0.1:${port}`; L179: child = spawn(process.execPath, ['services/control-api/src/server.mjs'], { L180: env: { ...process.env, OAF_PORT: String(port), OAF_DATA_DIR: temp }, L181: stdio: ['ignore', 'pipe', 'pipe']
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

tests/control-api.test.mjsView on unpkg · L177
166patternName = generic_password severity = medium line = 166 matchedText = body: JS...' })
Medium
Secret Pattern

Hardcoded password in tests/control-api.test.mjs

tests/control-api.test.mjsView on unpkg · L166
scripts/consumer-browser-smoke.mjsView file
128} catch { L129: primaryError.message = `${primaryError.message}\nInstall Playwright Chromium with: npx playwright install chromium`; L130: throw primaryError; ... L139: function runJson(command, args) { L140: const result = spawnSync(command, args, { cwd: root, encoding: 'utf8' }); L141: if (result.status !== 0) throw new Error(`${command} ${args.join(' ')} failed: ${result.stderr || result.stdout}`);
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

scripts/consumer-browser-smoke.mjsView on unpkg · L128
17patternName = generic_password severity = medium line = 17 matchedText = const pa...le';
Medium
Secret Pattern

Hardcoded password in scripts/consumer-browser-smoke.mjs

scripts/consumer-browser-smoke.mjsView on unpkg · L17
MakefileView file
path = Makefile kind = build_helper sizeBytes = 561 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

MakefileView on unpkg
tests/control-api-auth.test.mjsView file
11patternName = generic_password severity = medium line = 11 matchedText = const pa...le';
Medium
Secret Pattern

Hardcoded password in tests/control-api-auth.test.mjs

tests/control-api-auth.test.mjsView on unpkg · L11
223patternName = generic_password severity = medium line = 223 matchedText = body: JS...' })
Medium
Secret Pattern

Hardcoded password in tests/control-api-auth.test.mjs

tests/control-api-auth.test.mjsView on unpkg · L223
228patternName = generic_password severity = medium line = 228 matchedText = body: JS...' })
Medium
Secret Pattern

Hardcoded password in tests/control-api-auth.test.mjs

tests/control-api-auth.test.mjsView on unpkg · L228
tests/control-api-boundary.test.mjsView file
116patternName = generic_password severity = medium line = 116 matchedText = password...le',
Medium
Secret Pattern

Hardcoded password in tests/control-api-boundary.test.mjs

tests/control-api-boundary.test.mjsView on unpkg · L116
220patternName = generic_password severity = medium line = 220 matchedText = password...le',
Medium
Secret Pattern

Hardcoded password in tests/control-api-boundary.test.mjs

tests/control-api-boundary.test.mjsView on unpkg · L220
tests/native-identity-store.test.mjsView file
11patternName = generic_password severity = medium line = 11 matchedText = const pa...le';
Medium
Secret Pattern

Hardcoded password in tests/native-identity-store.test.mjs

tests/native-identity-store.test.mjsView on unpkg · L11
65patternName = generic_password severity = medium line = 65 matchedText = assert.e...se);
Medium
Secret Pattern

Hardcoded password in tests/native-identity-store.test.mjs

tests/native-identity-store.test.mjsView on unpkg · L65
66patternName = generic_password severity = medium line = 66 matchedText = assert.e...se);
Medium
Secret Pattern

Hardcoded password in tests/native-identity-store.test.mjs

tests/native-identity-store.test.mjsView on unpkg · L66
scripts/consumer-smoke.mjsView file
13patternName = generic_password severity = medium line = 13 matchedText = const pa...le';
Medium
Secret Pattern

Hardcoded password in scripts/consumer-smoke.mjs

scripts/consumer-smoke.mjsView on unpkg · L13

Findings

4 High18 Medium4 Low
HighChild Processtests/context-recall-eval.test.mjs
HighShelltests/release-readiness.test.mjs
HighSame File Env Network Executiontests/control-api.test.mjs
HighRuntime Package Installscripts/consumer-browser-smoke.mjs
MediumSecret Patternscripts/native-smoke.mjs
MediumDynamic Requireproviders/native/context-candidate-ast-code/src/index.mjs
MediumNetwork
MediumEnvironment Vars
MediumShips Build HelperMakefile
MediumStructural Risk Force Deep Review
MediumSecret Patterntests/control-api-auth.test.mjs
MediumSecret Patterntests/control-api-auth.test.mjs
MediumSecret Patterntests/control-api-auth.test.mjs
MediumSecret Patterntests/control-api.test.mjs
MediumSecret Patterntests/control-api-boundary.test.mjs
MediumSecret Patterntests/control-api-boundary.test.mjs
MediumSecret Patterntests/native-identity-store.test.mjs
MediumSecret Patterntests/native-identity-store.test.mjs
MediumSecret Patterntests/native-identity-store.test.mjs
MediumSecret Patternscripts/native-smoke.mjs
MediumSecret Patternscripts/consumer-smoke.mjs
MediumSecret Patternscripts/consumer-browser-smoke.mjs
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings