registry  /  otterkit  /  0.3.0

otterkit@0.3.0

OtterKit CLI — provision and connect tunnels for AI agents

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 12 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 10 file(s), 59.6 KB of source, external domains: api.otterkit.com, app.otterkit.com, otterkit.app, www.otterkit.com

Source & flagged code

3 flagged · loading source
dist/index.jsView file
7*/ L8: import { spawn } from 'node:child_process'; L9: import { fileURLToPath } from 'node:url';
High
Child Process

Package source references child process execution.

dist/index.jsView on unpkg · L7
dist/login.jsView file
10*/ L11: import { spawn } from 'node:child_process'; L12: import { saveCredentials, clearCredentials, getToken, loadCredentials } from './credentials.js'; L13: const API_SERVER = process.env.OTTERKIT_API_URL || 'https://api.otterkit.com'; L14: /* ── ANSI helpers (kept local; mirrors index.ts) ── */
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/login.jsView on unpkg · L10
10*/ L11: import { spawn } from 'node:child_process'; L12: import { saveCredentials, clearCredentials, getToken, loadCredentials } from './credentials.js'; L13: const API_SERVER = process.env.OTTERKIT_API_URL || 'https://api.otterkit.com'; L14: /* ── ANSI helpers (kept local; mirrors index.ts) ── */ ... L32: }, L33: body: body ? JSON.stringify(body) : undefined, L34: }); L35: return (await resp.json().catch(() => ({ ok: false, error: 'bad_response' }))); L36: } L37: function openBrowser(url) { L38: const cmd = process.platform === 'darwin' ? 'open' : process.platform === 'win32' ? 'cmd' : 'xdg-open';
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/login.jsView on unpkg · L10

Findings

4 High3 Medium5 Low
HighChild Processdist/index.js
HighShell
HighSame File Env Network Executiondist/login.js
HighSandbox Evasion Gated Capabilitydist/login.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings