registry  /  opendmo  /  0.1.1

opendmo@0.1.1

open-dmo — an aware AI DMO office in your terminal

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 5 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcess
Supply chain
UrlStrings
Manifest
NoLicense
scanned 1 file(s), 1.28 KB of source, external domains: cdn.jsdelivr.net

Source & flagged code

2 flagged · loading source
bin/opendmo.jsView file
4// see LICENSE); this shim is the only JavaScript in the opendmo package. L5: const { spawnSync } = require("node:child_process"); L6: const { dirname, join } = require("node:path"); ... L11: L12: const key = process.platform + "-" + process.arch; L13: const packageName = PLATFORM_PACKAGES[key]; ... L20: try { L21: packageJsonPath = require.resolve(packageName + "/package.json"); L22: } catch { ... L25: "Reinstall with: npm i -g opendmo\n" + L26: "or use the installer: curl -fsSL https://cdn.jsdelivr.net/npm/opendmo/install.sh | bash", L27: );
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

bin/opendmo.jsView on unpkg · L4
install.shView file
path = install.sh kind = build_helper sizeBytes = 7480 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

install.shView on unpkg

Findings

1 High2 Medium2 Low
HighSandbox Evasion Gated Capabilitybin/opendmo.js
MediumShips Build Helperinstall.sh
MediumStructural Risk Force Deep Review
LowUrl Strings
LowNo License