registry  /  nonsudo  /  2.1.0

nonsudo@2.1.0

Runtime governance and execution evidence for AI agents.

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 11 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsEvalFilesystem
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
Manifest
NoLicense
scanned 6 file(s), 3.72 MB of source, external domains: dub.sh, feross.org, git.io, github.com

Source & flagged code

3 flagged · loading source
dist/proxy-entry.mjsView file
1import {dirname,resolve,join,relative,isAbsolute}from'path';import'fs/promises';import {readFileSync,realpathSync,statSync}from'fs';import {randomUUID,timingSafeEqual}from'crypto';... L2: `)}};Tu.defaultYaml={explicit:false,version:"1.2"};Tu.defaultTags={"!!":"tag:yaml.org,2002:"};SI.Directives=Tu;});var wm=E(Pu=>{var EI=fe(),GL=Ou();function zL(n){if(/[\x00-\x19\s,...
High
Child Process

Package source references child process execution.

dist/proxy-entry.mjsView on unpkg · L1
142at `+t[r].toString();return i}return e&&(i+=" at "+E1(e)),i}function Vq(n,e,t){var s="\x1B[36;1m"+this._namespace+"\x1B[22;39m \x1B[33;1mdeprecated\x1B[22;39m \x1B[0m"+n+"\x1B[39m"... L143: \x1B[36mat `+t[i].toString()+"\x1B[39m";return s}return e&&(s+=" \x1B[36m"+E1(e)+"\x1B[39m"),s}function E1(n){return Nq(Cq,n[0])+":"+n[1]+":"+n[2]}function yg(){var n=Error.stackTr... L144: return function (`+t+`) {log.call(deprecate, message, site)
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/proxy-entry.mjsView on unpkg · L142
dist/index.jsView file
1Cross-file remote execution chain: dist/index.js spawns dist/proxy-entry.js; helper contains network access plus dynamic code execution. L1: 'use strict';var fs$1=require('fs'),path=require('path'),child_process=require('child_process'),crypto=require('crypto');var eo=Object.create;var In=Object.defineProperty;var to=Ob... L2: `).replace(/^/gm," ".repeat(o))}let u=[`Usage: ${n.commandUsage(e)}`,""],d=n.commandDescription(e);d.length>0&&(u=u.concat([n.wrap(d,r,0),""]));let l=n.visibleArguments(e).map(f=>a... ... L9: (Did you mean one of ${i.join(", ")}?)`:i.length===1?` L10: (Did you mean ${i[0]}?)`:""}qn.suggestSimilar=qo;});var Yn=ie(Wn=>{var jo=Se("events").EventEmitter,$t=Se("child_process"),J=Se("path"),Ut=Se("fs"),T=Se("process"),{Argument:Ko,hum... L11: - specify the name in Command constructor or using .name()`);return n=n||{},n.isDefault&&(this._defaultCommandName=e._name),(n.noHelp||n.hidden)&&(e._hidden=true),this._registerCom... ... L136: Writes PUBLIC material only: a JWK map { <key_id>: JWK, "default": JWK } L137: (OKP/Ed25519, base64url public point in \`x\`). The seed and private key L138: are never written or echoed. Pass the output to ... L145: Delegates to: pnpm …
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/index.jsView on unpkg · L1

Findings

3 High2 Medium6 Low
HighChild Processdist/proxy-entry.mjs
HighCross File Remote Execution Contextdist/index.js
HighObfuscated
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowEvaldist/proxy-entry.mjs
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License