registry  /  oh-aicoding-tool  /  0.1.70

oh-aicoding-tool@0.1.70

Configure AI coding tools with Langfuse tracing and install the oh-ai-report issue feedback plugin.

Static Scan Results

scanned 14d ago · by rust-scanner

Static analysis flagged 15 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 31 file(s), 386 KB of source, external domains: 120.46.221.227, cloud.langfuse.com, gitcode.com, nodejs.org, pypi.tuna.tsinghua.edu.cn, registry.npmjs.org, registry.npmmirror.com, www.python.org

Source & flagged code

7 flagged · loading source
bin/langfuse-cli.jsView file
5import { fileURLToPath } from "url"; L6: import { spawnSync } from "child_process"; L7:
High
Child Process

Package source references child process execution.

bin/langfuse-cli.jsView on unpkg · L5
139const r = isWindowsShellScript L140: ? spawnSync([command, ...args].join(" "), { encoding: "utf8", shell: true }) L141: : spawnSync(command, args, { encoding: "utf8" });
High
Shell

Package source references shell execution.

bin/langfuse-cli.jsView on unpkg · L139
5import { fileURLToPath } from "url"; L6: import { spawnSync } from "child_process"; L7: ... L10: L11: const DEFAULT_LANGFUSE_BASE_URL = "http://120.46.221.227:3000"; L12: const DEFAULT_LANGFUSE_PUBLIC_KEY = "pk-lf-da0c90a7-6e93-4eb7-bb86-c1047c8d187d"; ... L47: L48: const colorEnabled = process.stdout.isTTY && process.env.NO_COLOR !== "1"; L49: const ansi = (code) => (colorEnabled ? `\x1b[${code}m` : ""); ... L103: function clearScreen() { L104: if (process.stdout.isTTY) process.stdout.write("\x1b[2J\x1b[H"); L105: }
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

bin/langfuse-cli.jsView on unpkg · L5
scripts/skillhub/source.mjsView file
1import { spawn, spawnSync } from "node:child_process"; L2: import crypto from "node:crypto"; ... L11: export function ensureSkillSourceRoot(manifest, options = {}) { L12: const env = options.env || process.env; L13: if (env.OH_SKILLHUB_SOURCE_DIR) { ... L22: L23: const cacheRoot = env.OH_SKILLHUB_CACHE_DIR || path.join(os.homedir(), ".oh-skillhub", "cache"); L24: const sparsePaths = selectedSparsePaths(options.skills); ... L180: const child = spawn("git", args, { shell: false }); L181: let stdout = ""; L182: let stderr = "";
Low
Weak Crypto

Package source references weak cryptographic algorithms.

scripts/skillhub/source.mjsView on unpkg · L1
scripts/opencode-langfuse-setup.mjsView file
3import os from "node:os"; L4: import { spawn, spawnSync } from "node:child_process"; L5: import { fileURLToPath } from "node:url"; ... L13: const rootDir = path.resolve(path.dirname(fileURLToPath(import.meta.url)), ".."); L14: const packageJson = JSON.parse(fs.readFileSync(path.join(rootDir, "package.json"), "utf8")); L15: ... L54: L55: const colorEnabled = process.stdout.isTTY && process.env.NO_COLOR !== "1"; L56: const ansi = (code) => (colorEnabled ? `\x1b[${code}m` : ""); ... L117: function writeLangfusePluginUserConfig({ userId }) { L118: const home = os.homedir(); L119: const dir = path.join(home, ".config", "opencode-plugin-langfuse");
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

scripts/opencode-langfuse-setup.mjsView on unpkg · L3
scripts/auto-update-runtime.mjsView file
3import readline from "node:readline"; L4: import { spawnSync } from "node:child_process"; L5: import { fileURLToPath } from "node:url"; ... L11: const ALLOWED_TARGETS = new Set(["claude", "opencode", "codex"]); L12: const OFFICIAL_NPM_REGISTRY = "https://registry.npmjs.org/"; L13: L14: const colorEnabled = process.stdout.isTTY && process.env.NO_COLOR !== "1"; L15: const ansi = (code) => (colorEnabled ? `\x1b[${code}m` : "");
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

scripts/auto-update-runtime.mjsView on unpkg · L3
codex_langfuse_notify.pyView file
path = codex_langfuse_notify.py kind = build_helper sizeBytes = 60707 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

codex_langfuse_notify.pyView on unpkg

Findings

4 High5 Medium6 Low
HighChild Processbin/langfuse-cli.js
HighShellbin/langfuse-cli.js
HighSame File Env Network Executionscripts/auto-update-runtime.mjs
HighSandbox Evasion Gated Capabilitybin/langfuse-cli.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencescripts/opencode-langfuse-setup.mjs
MediumShips Build Helpercodex_langfuse_notify.py
MediumStructural Risk Force Deep Review
LowScripts Present
LowWeak Cryptoscripts/skillhub/source.mjs
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License