registry  /  npcmail  /  0.4.0

npcmail@0.4.0

Throwaway email identities on your own domain — NPCs with inboxes, built for AI agents. Self-hosted on Cloudflare in one command.

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 14 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 772 KB of source, external domains: api.cloudflare.com, dash.cloudflare.com, github.com, mathiasbynens.be, registry.npmjs.org, www.w3.org

Source & flagged code

5 flagged · loading source
dist/cli.jsView file
1197var EventEmitter = __require("node:events").EventEmitter; L1198: var childProcess = __require("node:child_process"); L1199: var path = __require("node:path");
High
Child Process

Package source references child process execution.

dist/cli.jsView on unpkg · L1197
2050} L2051: const execArgv = process5.execArgv ?? []; L2052: if (execArgv.includes("-e") || execArgv.includes("--eval") || execArgv.includes("-p") || execArgv.includes("--print")) {
High
Shell

Package source references shell execution.

dist/cli.jsView on unpkg · L2050
41* Constructs the CommanderError class L42: * @param {number} exitCode suggested exit code which could be used with process.exit L43: * @param {string} code an id string representing the error ... L1197: var EventEmitter = __require("node:events").EventEmitter; L1198: var childProcess = __require("node:child_process"); L1199: var path = __require("node:path"); ... L1247: this._outputConfiguration = { L1248: writeOut: (str) => process5.stdout.write(str), L1249: writeErr: (str) => process5.stderr.write(str), ... L1289: * @returns {Command[]} L1290: * @private L1291: */
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/cli.jsView on unpkg · L41
41Cross-file remote execution chain: dist/cli.js spawns dist/worker.js; helper contains network access plus dynamic code execution. L41: * Constructs the CommanderError class L42: * @param {number} exitCode suggested exit code which could be used with process.exit L43: * @param {string} code an id string representing the error ... L1197: var EventEmitter = __require("node:events").EventEmitter; L1198: var childProcess = __require("node:child_process"); L1199: var path = __require("node:path"); ... L1247: this._outputConfiguration = { L1248: writeOut: (str) => process5.stdout.write(str), L1249: writeErr: (str) => process5.stderr.write(str), ... L1289: * @returns {Command[]} L1290: * @private L1291: */
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/cli.jsView on unpkg · L41
2import { createRequire as __npcmailCreateRequire } from 'node:module'; L3: const require = __npcmailCreateRequire(import.meta.url); L4: var __create = Object.create;
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/cli.jsView on unpkg · L2

Findings

4 High4 Medium6 Low
HighChild Processdist/cli.js
HighShelldist/cli.js
HighSandbox Evasion Gated Capabilitydist/cli.js
HighCross File Remote Execution Contextdist/cli.js
MediumDynamic Requiredist/cli.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings