registry  /  moflo  /  4.10.29

moflo@4.10.29

MoFlo — AI agent orchestration for Claude Code. A standalone, opinionated toolkit with semantic memory, learned routing, gates, spells, and the /flo issue-execution skill.

Static Scan Results

scanned 3d ago · by rust-scanner

Static analysis flagged 22 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNativeBindingsNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 637 file(s), 7.12 MB of source, external domains: api.moflo.io, api.npmjs.org, api.openai.com, api.pinata.cloud, claude.com, cli.github.com, cloudflare-ipfs.com, dev.moflo.io, docs.anthropic.com, dweb.link, fonts.googleapis.com, fonts.gstatic.com, gateway.pinata.cloud, git-scm.com, github.com, graph.microsoft.com, imapflow.com, ipfs.io, nodejs.org, nvd.nist.gov, outlook.live.com, pinata.cloud, playwright.dev, registry.npmjs.org, slack.com, staging.moflo.io, storage.googleapis.com, us-central1-claude-flow.cloudfunctions.net, w3s.link, www.apple.com, www.docker.com

Source & flagged code

14 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/prune-native-binaries.mjs && node scripts/post-install-notice.mjs && node scripts/post-install-bootstrap.mjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/prune-native-binaries.mjs && node scripts/post-install-notice.mjs && node scripts/post-install-bootstrap.mjs
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
dist/src/cli/guidance/manifest-validator.jsView file
702patternName = private_key_rsa severity = critical line = 702 matchedText = params: ...' },
Critical
Critical Secret

Package contains a critical-looking secret pattern.

dist/src/cli/guidance/manifest-validator.jsView on unpkg · L702
702patternName = private_key_rsa severity = critical line = 702 matchedText = params: ...' },
Critical
Secret Pattern

RSA private key in dist/src/cli/guidance/manifest-validator.js

dist/src/cli/guidance/manifest-validator.jsView on unpkg · L702
bin/generate-code-map.mjsView file
30import { fileURLToPath } from 'url'; L31: import { execSync, execFileSync, spawn } from 'child_process'; L32: import { memoryDbPath, MOFLO_DIR, findProjectRoot } from './lib/moflo-paths.mjs';
High
Child Process

Package source references child process execution.

bin/generate-code-map.mjsView on unpkg · L30
bin/hooks.mjsView file
3* Cross-platform Claude Code hook runner L4: * Works on Windows (cmd/powershell) and Linux/WSL (bash) L5: *
High
Shell

Package source references shell execution.

bin/hooks.mjsView on unpkg · L3
dist/src/cli/guidance/analyzer.jsView file
1284patternName = generic_password severity = medium line = 1284 matchedText = { type: ...' },
Medium
Secret Pattern

Hardcoded password in dist/src/cli/guidance/analyzer.js

dist/src/cli/guidance/analyzer.jsView on unpkg · L1284
2067patternName = generic_password severity = medium line = 2067 matchedText = { type: ...' },
Medium
Secret Pattern

Hardcoded password in dist/src/cli/guidance/analyzer.js

dist/src/cli/guidance/analyzer.jsView on unpkg · L2067
2043{ type: 'must-match-pattern', value: 'escape|validate|regex|filter', severity: 'major' }, L2044: { type: 'must-not-contain', value: 'eval(', severity: 'critical' }, L2045: ],
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/src/cli/guidance/analyzer.jsView on unpkg · L2043
bin/run-migrations.mjsView file
61try { L62: const mod = await import(url); L63: if (mod && typeof mod.run === 'function' && typeof mod.name === 'string') {
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/run-migrations.mjsView on unpkg · L61
bin/lib/file-sync.mjsView file
1/** L2: * Shared file-sync helper for the launcher (#854 §3) and the postinstall
Low
Weak Crypto

Package source references weak cryptographic algorithms.

bin/lib/file-sync.mjsView on unpkg · L1
dist/src/cli/services/daemon-service.jsView file
8* - Linux: systemd --user unit in ~/.config/systemd/user/ L9: * - Windows: Task Scheduler ONLOGON trigger via schtasks L10: */ ... L14: import { homedir } from 'os'; L15: import { execSync } from 'child_process'; L16: import { locateMofloCliBin } from './moflo-require.js'; ... L31: const resolvedRoot = resolve(projectRoot); L32: const platform = process.platform; L33: if (platform === 'darwin') { ... L93: const slug = projectRootSlug(projectRoot); L94: return join(homedir(), 'Library', 'LaunchAgents', `${PLIST_LABEL}.${slug}.plist`); L95: }
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/src/cli/services/daemon-service.jsView on unpkg · L8
dist/src/cli/update/executor.jsView file
62// Execute npm install L63: const installCmd = `npm install ${update.package}@${update.latestVersion} --save-exact`; L64: execSync(installCmd, { L65: encoding: 'utf-8',
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/src/cli/update/executor.jsView on unpkg · L62
.claude/agents/core/reviewer.mdView file
81patternName = generic_password severity = medium line = 81 matchedText = console....rd);
Medium
Secret Pattern

Hardcoded password in .claude/agents/core/reviewer.md

.claude/agents/core/reviewer.mdView on unpkg · L81

Findings

2 Critical4 High9 Medium7 Low
CriticalCritical Secretdist/src/cli/guidance/manifest-validator.js
CriticalSecret Patterndist/src/cli/guidance/manifest-validator.js
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processbin/generate-code-map.mjs
HighShellbin/hooks.mjs
HighRuntime Package Installdist/src/cli/update/executor.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requirebin/run-migrations.mjs
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/src/cli/services/daemon-service.js
MediumStructural Risk Force Deep Review
MediumSecret Patterndist/src/cli/guidance/analyzer.js
MediumSecret Patterndist/src/cli/guidance/analyzer.js
MediumSecret Pattern.claude/agents/core/reviewer.md
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvaldist/src/cli/guidance/analyzer.js
LowWeak Cryptobin/lib/file-sync.mjs
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings