registry  /  octocode-ai  /  3.7.1

octocode-ai@3.7.1

To install dependencies:

Static Scan Results

scanned 1d ago · by rust-scanner

Static analysis flagged 15 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNativeBindingsNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
Manifest
CopyleftLicense
scanned 372 file(s), 2.43 MB of source, external domains: 127.0.0.1, api.digitalocean.com, api.github.com, api.githubcopilot.com, api.octocode.ai, api.openai.com, api.releases.hashicorp.com, app.octocode.ai, auth.openai.com, auth.x.ai, chatgpt.com, cloud.digitalocean.com, community.chocolatey.org, company.ghe.com, console.octocode.ai, dev.octocode.ai, docs.github.com, download-cdn.jetbrains.com, example.com, formulae.brew.sh, github.com, gitlab.com, inference.do-ai.run, json-schema.org, julialang.org, mcp.exa.ai, models.dev, octocode.ai, octocode.internal, opncd.ai, raw.githubusercontent.com, search.parallel.ai, social-cards.sst.dev, tauri.localhost, vercel.link, www.eclipse.org, www.googleapis.com

Source & flagged code

7 flagged · loading source
package.jsonView file
scripts.postinstall = node script/postinstall.mjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node script/postinstall.mjs
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
script/time.tsView file
4const toDynamicallyImport = path.join(process.cwd(), process.argv[2]) L5: await import(toDynamicallyImport) L6: console.log(performance.now())
Medium
Dynamic Require

Package source references dynamic require/import behavior.

script/time.tsView on unpkg · L4
src/lsp/server.tsView file
1import type { ChildProcessWithoutNullStreams } from "child_process" L2: import path from "path" ... L24: const run = (cmd: string[], opts: Process.RunOptions = {}) => Process.run(cmd, { ...opts, nothrow: true }) L25: const output = (cmd: string[], opts: Process.RunOptions = {}) => Process.text(cmd, { ...opts, nothrow: true }) L26: ... L120: root: NearestRoot( L121: ["package-lock.json", "bun.lockb", "bun.lock", "pnpm-lock.yaml", "yarn.lock"], L122: ["deno.json", "deno.jsonc"], ... L133: env: { L134: ...process.env, L135: }, ... L188: log.info("downloading and building VS Code ESLint server")
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

src/lsp/server.tsView on unpkg · L1
src/cli/tui/tree-sitter-powershell-ryb2ffqs.wasmView file
path = src/cli/tui/tree-sitter-powershell-ryb2ffqs.wasm kind = wasm_module sizeBytes = 983236 magicHex = [redacted]
Medium
Ships Wasm Module

Package ships WebAssembly modules.

src/cli/tui/tree-sitter-powershell-ryb2ffqs.wasmView on unpkg
test/server/auth.test.tsView file
47patternName = generic_password severity = medium line = 47 matchedText = expect(S...al({
Medium
Secret Pattern

Hardcoded password in test/server/auth.test.ts

test/server/auth.test.tsView on unpkg · L47
test/server/httpapi-listen.test.tsView file
19patternName = generic_password severity = medium line = 19 matchedText = const au...t" }
Medium
Secret Pattern

Hardcoded password in test/server/httpapi-listen.test.ts

test/server/httpapi-listen.test.tsView on unpkg · L19

Findings

2 High8 Medium5 Low
HighInstall Time Lifecycle Scriptspackage.json
HighSandbox Evasion Gated Capabilitysrc/lsp/server.ts
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requirescript/time.ts
MediumNetwork
MediumEnvironment Vars
MediumShips Wasm Modulesrc/cli/tui/tree-sitter-powershell-ryb2ffqs.wasm
MediumStructural Risk Force Deep Review
MediumSecret Patterntest/server/auth.test.ts
MediumSecret Patterntest/server/httpapi-listen.test.ts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowCopyleft License