registry  /  openwriter  /  0.40.0

openwriter@0.40.0

The open-source writing surface for AI agents. Markdown-native editor with pending change review — your agent writes, you accept or reject.

Static Scan Results

scanned 9d ago · by rust-scanner

Static analysis flagged 14 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 87 file(s), 2.39 MB of source, external domains: 127.0.0.1, api.fxtwitter.com, api.github.com, api.x.com, authors-voice.com, developer.x.com, example.com, git-scm.com, github.com, prosemirror.net, publish.openwriter.io, purl.org, reactjs.org, registry.npmjs.org, twemoji.maxcdn.com, unavatar.io, www.idpf.org, www.w3.org, x.com

Source & flagged code

5 flagged · loading source
dist/plugins/github/dist/blog-tools.jsView file
6*/ L7: import { execFile } from 'child_process'; L8: import { existsSync, mkdirSync, readFileSync, copyFileSync, writeFileSync, readdirSync, statSync, rmSync } from 'fs';
High
Child Process

Package source references child process execution.

dist/plugins/github/dist/blog-tools.jsView on unpkg · L6
17// single literal argument and is NEVER interpreted by a shell. Do NOT add L18: // `shell: true` or hand-roll arg quoting here: that reintroduces OS command L19: // injection. If a future call genuinely needs shell features, whitelist-
High
Shell

Package source references shell execution.

dist/plugins/github/dist/blog-tools.jsView on unpkg · L17
dist/plugins/x-api/dist/server-bridge.jsView file
16let cached = null; L17: async function tryImport(base) { L18: const [state, helpers, draftjs] = await Promise.all([
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/plugins/x-api/dist/server-bridge.jsView on unpkg · L16
dist/server/plugin-install.jsView file
34try { L35: execSync(`npm install --save ${packageName}`, { L36: cwd: PLUGINS_DIR,
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/server/plugin-install.jsView on unpkg · L34
dist/client/assets/source-serif-4-latin-wght-italic-D2yaqPoE.woff2View file
path = dist/client/assets/source-serif-4-latin-wght-italic-D2yaqPoE.woff2 kind = high_entropy_blob sizeBytes = 51516 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

dist/client/assets/source-serif-4-latin-wght-italic-D2yaqPoE.woff2View on unpkg

Findings

4 High4 Medium6 Low
HighChild Processdist/plugins/github/dist/blog-tools.js
HighShelldist/plugins/github/dist/blog-tools.js
HighRuntime Package Installdist/server/plugin-install.js
HighShips High Entropy Blobdist/client/assets/source-serif-4-latin-wght-italic-D2yaqPoE.woff2
MediumDynamic Requiredist/plugins/x-api/dist/server-bridge.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings