registry  /  octocode-ai  /  3.7.6

octocode-ai@3.7.6

AI-powered development tool for the terminal with desktop & browser automation

Static Scan Results

scanned 1d ago · by rust-scanner

Static analysis flagged 21 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNativeBindingsNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
Manifest
CopyleftLicense
scanned 373 file(s), 2.44 MB of source, external domains: 127.0.0.1, api.digitalocean.com, api.github.com, api.githubcopilot.com, api.octocode.ai, api.openai.com, api.releases.hashicorp.com, app.octocode.ai, auth.openai.com, auth.x.ai, chatgpt.com, cloud.digitalocean.com, community.chocolatey.org, company.ghe.com, console.octocode.ai, dev.octocode.ai, docs.github.com, download-cdn.jetbrains.com, example.com, formulae.brew.sh, github.com, gitlab.com, inference.do-ai.run, json-schema.org, julialang.org, mcp.exa.ai, models.dev, octocode.ai, octocode.internal, opncd.ai, raw.githubusercontent.com, search.parallel.ai, social-cards.sst.dev, tauri.localhost, vercel.link, www.eclipse.org, www.googleapis.com

Source & flagged code

13 flagged · loading source
package.jsonView file
scripts.postinstall = node script/postinstall.mjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node script/postinstall.mjs
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
script/octo-shim.mjsView file
2L3: import { spawnSync } from "child_process" L4: import { existsSync } from "fs"
High
Child Process

Package source references child process execution.

script/octo-shim.mjsView on unpkg · L2
script/postinstall.mjsView file
45const cmd = '(Add-Type -MemberDefinition "[DllImport(""kernel32.dll"")] public static extern bool IsProcessorFeaturePresent(int ProcessorFeature);" -Name Kernel32 -Namespace Win32 ... L46: for (const exe of ["powershell.exe", "pwsh.exe", "pwsh", "powershell"]) { L47: try {
High
Shell

Package source references shell execution.

script/postinstall.mjsView on unpkg · L45
script/time.tsView file
4const toDynamicallyImport = path.join(process.cwd(), process.argv[2]) L5: await import(toDynamicallyImport) L6: console.log(performance.now())
Medium
Dynamic Require

Package source references dynamic require/import behavior.

script/time.tsView on unpkg · L4
src/lsp/server.tsView file
1import type { ChildProcessWithoutNullStreams } from "child_process" L2: import path from "path" ... L24: const run = (cmd: string[], opts: Process.RunOptions = {}) => Process.run(cmd, { ...opts, nothrow: true }) L25: const output = (cmd: string[], opts: Process.RunOptions = {}) => Process.text(cmd, { ...opts, nothrow: true }) L26: ... L120: root: NearestRoot( L121: ["package-lock.json", "bun.lockb", "bun.lock", "pnpm-lock.yaml", "yarn.lock"], L122: ["deno.json", "deno.jsonc"], ... L133: env: { L134: ...process.env, L135: }, ... L188: log.info("downloading and building VS Code ESLint server")
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

src/lsp/server.tsView on unpkg · L1
src/tool/lazy-dep.tsView file
16try { L17: execSync(`npm install -g ${name}`, { stdio: "inherit", timeout: 120000 }) L18: const mod = await import(name)
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

src/tool/lazy-dep.tsView on unpkg · L16
src/cli/tui/tree-sitter-powershell-ryb2ffqs.wasmView file
path = src/cli/tui/tree-sitter-powershell-ryb2ffqs.wasm kind = wasm_module sizeBytes = 983236 magicHex = [redacted]
Medium
Ships Wasm Module

Package ships WebAssembly modules.

src/cli/tui/tree-sitter-powershell-ryb2ffqs.wasmView on unpkg
octocode-ai-3.7.1.tgzView file
path = octocode-ai-3.7.1.tgz kind = high_entropy_blob sizeBytes = 5106146 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

octocode-ai-3.7.1.tgzView on unpkg
path = octocode-ai-3.7.1.tgz kind = compressed_blob sizeBytes = 5106146 magicHex = [redacted]
Medium
Ships Compressed Blob

Package ships compressed or archive-like blobs.

octocode-ai-3.7.1.tgzView on unpkg
path = octocode-ai-3.7.1.tgz kind = nested_archive_needs_inspection sizeBytes = 5106146 magicHex = [redacted]
Low
Nested Archive Needs Inspection

Package ships a nested archive or MCP bundle that was inventoried but not recursively analyzed.

octocode-ai-3.7.1.tgzView on unpkg
test/server/auth.test.tsView file
47patternName = generic_password severity = medium line = 47 matchedText = expect(S...al({
Medium
Secret Pattern

Hardcoded password in test/server/auth.test.ts

test/server/auth.test.tsView on unpkg · L47
test/server/httpapi-listen.test.tsView file
19patternName = generic_password severity = medium line = 19 matchedText = const au...t" }
Medium
Secret Pattern

Hardcoded password in test/server/httpapi-listen.test.ts

test/server/httpapi-listen.test.tsView on unpkg · L19

Findings

6 High9 Medium6 Low
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processscript/octo-shim.mjs
HighShellscript/postinstall.mjs
HighSandbox Evasion Gated Capabilitysrc/lsp/server.ts
HighRuntime Package Installsrc/tool/lazy-dep.ts
HighShips High Entropy Bloboctocode-ai-3.7.1.tgz
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requirescript/time.ts
MediumNetwork
MediumEnvironment Vars
MediumShips Wasm Modulesrc/cli/tui/tree-sitter-powershell-ryb2ffqs.wasm
MediumShips Compressed Bloboctocode-ai-3.7.1.tgz
MediumStructural Risk Force Deep Review
MediumSecret Patterntest/server/auth.test.ts
MediumSecret Patterntest/server/httpapi-listen.test.ts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNested Archive Needs Inspectionoctocode-ai-3.7.1.tgz
LowCopyleft License