registry  /  oysterun  /  1.3.0

oysterun@1.3.0

Oysterun Host installer and local service

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 22 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedObfuscatedProtestwareTelemetryUrlStrings
Manifest
NoLicense
scanned 126 file(s), 6.29 MB of source, external domains: 100.85.20.96, 127.0.0.1, 192.168.0.188, api.oysterun.com, api.telegram.org, example.com, github.com, ns.adobe.com, oysterun.com, oysterun.local, reactjs.org, registry.npmjs.org, voieechcontent.sgp1.digitaloceanspaces.com, www.w3.org, www.xfa.org
Oversized source lightweight scan
dev/client/web-chat/dist/assets/index-OEGciFL1.js3.82 MB file, sampled 256 KB
NetworkChildProcessHighEntropyStringsMinifiedUrlStringsreactjs.orgwww.w3.org
dev/client/web-chat/dist/public/element-call/assets/index-BAfhaCa-.js2.60 MB file, sampled 256 KB
NetworkChildProcessHighEntropyStringsMinifiedUrlStringswww.w3.org

Source & flagged code

11 flagged · loading source
dev/client/web-chat/dist/pdf.worker.min.jsView file
21patternName = aws_access_key severity = critical line = 21 matchedText = */var e=...er};
Critical
Critical Secret

Package contains a critical-looking secret pattern.

dev/client/web-chat/dist/pdf.worker.min.jsView on unpkg · L21
21patternName = aws_access_key severity = critical line = 21 matchedText = */var e=...er};
Critical
Secret Pattern

AWS access key ID in dev/client/web-chat/dist/pdf.worker.min.js

dev/client/web-chat/dist/pdf.worker.min.jsView on unpkg · L21
20* JavaScript code in this page L21: */var e={d:(t,i)=>{for(var a in i)e.o(i,a)&&!e.o(t,a)&&Object.defineProperty(t,a,{enumerable:!0,get:i[a]})},o:(e,t)=>Object.prototype.hasOwnProperty.call(e,t)},__webpack_exports__=...
Low
Eval

Package source references a known benign dynamic code generation pattern.

dev/client/web-chat/dist/pdf.worker.min.jsView on unpkg · L20
host-service/server.mjsView file
211const __dirname = dirname(fileURLToPath(import.meta.url)); L212: const require = createRequire(import.meta.url); L213: const QRCode = require("qrcode-terminal/vendor/QRCode");
Medium
Dynamic Require

Package source references dynamic require/import behavior.

host-service/server.mjsView on unpkg · L211
1import { spawn } from "child_process"; L2: import { createRequire } from "module"; L3: import { createServer } from "http"; L4: import { ... L210: // ── Dashboard static file ──────────────────────────────────── L211: const __dirname = dirname(fileURLToPath(import.meta.url)); L212: const require = createRequire(import.meta.url); ... L369: const HEARTBEAT_INTERVAL = parseInt( L370: process.env.OYSTERUN_HEARTBEAT_INTERVAL || "60000", L371: 10 ... L653: ? body L654: : Buffer.from(String(body ?? ""), "utf-8");
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

host-service/server.mjsView on unpkg · L1
host-service/config.mjsView file
1import { execFileSync } from "child_process"; L2: import { ... L29: export function getConfigDir() { L30: return process.env.OYSTERUN_CONFIG_DIR || join(homedir(), ".oysterun"); L31: } ... L70: L71: function resolveSystemLocalHostName() { L72: try { ... L105: export const LEGACY_FALLBACK_HOST_PORT = 3456; L106: export const PRODUCT_CLOUD_BACKEND_URL = "https://api.oysterun.com"; L107: export const PRODUCT_CLOUD_BACKEND_STAGE = "prod"; ... L607: function cloneValue(value) {
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

host-service/config.mjsView on unpkg · L1
dev/client/web-chat/dist/public/element-call/assets/vision_wasm_internal-TmjHuG4I.wasmView file
path = dev/client/web-chat/dist/public/element-call/assets/vision_wasm_internal-TmjHuG4I.wasm kind = wasm_module sizeBytes = 9574032 magicHex = [redacted]
Medium
Ships Wasm Module

Package ships WebAssembly modules.

dev/client/web-chat/dist/public/element-call/assets/vision_wasm_internal-TmjHuG4I.wasmView on unpkg
tool_scripts/restart_oysterun.shView file
path = tool_scripts/restart_oysterun.sh kind = build_helper sizeBytes = 212 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

tool_scripts/restart_oysterun.shView on unpkg
dev/client/web-chat/dist/public/element-call/assets/dog-BoQdnF-w.mp3View file
path = dev/client/web-chat/dist/public/element-call/assets/dog-BoQdnF-w.mp3 kind = high_entropy_blob sizeBytes = 11702 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

dev/client/web-chat/dist/public/element-call/assets/dog-BoQdnF-w.mp3View on unpkg
dev/client/web-chat/dist/public/element-call/assets/index-BAfhaCa-.jsView file
path = dev/client/web-chat/dist/public/element-call/assets/index-BAfhaCa-.js kind = oversized_source_file sizeBytes = 2729281 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dev/client/web-chat/dist/public/element-call/assets/index-BAfhaCa-.jsView on unpkg
package.jsonView file
dependencies registry_only=@agentclientprotocol/sdk,@anthropic-ai/claude-agent-sdk,@anthropic-ai/claude-agent-sdk-darwin-arm64,@anthropic-ai/sdk,@babel/runtime,@hono/node-server,@modelcontextprotocol/sdk,@stablelib/base64
Critical
Manifest Confusion

Tarball package.json differs from the npm registry version manifest for scripts or dependency sets.

package.jsonView on unpkg

Findings

3 Critical3 High8 Medium8 Low
CriticalCritical Secretdev/client/web-chat/dist/pdf.worker.min.js
CriticalManifest Confusionpackage.json
CriticalSecret Patterndev/client/web-chat/dist/pdf.worker.min.js
HighSandbox Evasion Gated Capabilityhost-service/config.mjs
HighShips High Entropy Blobdev/client/web-chat/dist/public/element-call/assets/dog-BoQdnF-w.mp3
HighOversized Source Filedev/client/web-chat/dist/public/element-call/assets/index-BAfhaCa-.js
MediumDynamic Requirehost-service/server.mjs
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencehost-service/server.mjs
MediumProtestware
MediumShips Wasm Moduledev/client/web-chat/dist/public/element-call/assets/vision_wasm_internal-TmjHuG4I.wasm
MediumShips Build Helpertool_scripts/restart_oysterun.sh
MediumStructural Risk Force Deep Review
LowScripts Present
LowEvaldev/client/web-chat/dist/pdf.worker.min.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings
LowNo License