registry  /  pando-ai  /  1.2.3

pando-ai@1.2.3

⚠ Under review

AI coding firewall for Codex and Claude Code

Static Scan Results

scanned 3h ago · by rust-scanner

Static analysis flagged 26 finding(s) at 86.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNativeBindingsNetworkShell
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 11 file(s), 2.05 MB of source, external domains: api.anthropic.com, api.openai.com, chatgpt.com, ehurtggpaunbndlxuemq.supabase.co, getpando.ai, github.com, json-schema.org, pando.local
Oversized source lightweight scan
dist/security-daemon.js11.1 MB file, sampled 256 KB
FilesystemChildProcessEnvironmentVarsCryptoHighEntropyStringsMinifiedUrlStringsehurtggpaunbndlxuemq.supabase.cogetpando.aijson-schema.org
dist/watcher-process.js10.9 MB file, sampled 256 KB
FilesystemChildProcessEnvironmentVarsNativeBindingsCryptoDynamicRequireHighEntropyStringsMinifiedUrlStringsgithub.com

Source & flagged code

19 flagged · loading source
dist/cli.jsView file
972patternName = supabase_service_key severity = critical line = 972 matchedText = `)}catch... in:
Critical
Critical Secret

Package contains a critical-looking secret pattern.

dist/cli.jsView on unpkg · L972
904`,replaceExistingNodeAtPath:!1,expectedHash:"p123:c456"},replace:{op:"replace",path:"src/app.ts#FD:0",expectedHash:"p123:c456",with:`function app() {} L905: `},"replace-body":{op:"replace-body",path:"src/app.ts#FD:0",expectedHash:"p123:c456",with:"console.log(1);"},"filter-map-reduce":{op:"filter-map-reduce",query:{lang:["ts","js"],sco... L906: `);return t.includes("return results")||t.includes("return items")?"any[]":t.includes("return true")||t.includes("return false")?"boolean":t.includes("return")&&!t.includes("return... ... L915: `).filter(i=>i),s=Math.min(...r.map(i=>i.length-i.trimStart().length)),o=r.map(i=>i.slice(s)).map(i=>" ".repeat(this.indent*2)+i);for(let i of o)this.content.push(i)}compile(){let ... L916: `))}};var YN={major:4,minor:0,patch:0};var Qt=ee("$ZodType",(n,e)=>{var t;n??(n={}),n._zod.def=e,n._zod.bag=n._zod.bag||{},n._zod.version=YN;let r=[...n._zod.def.checks??[]];n._zod... L917: if (${S}.issues.length) {
Critical
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution with blocking evidence.

dist/cli.jsView on unpkg · L904
1#!/usr/bin/env node L2: "use strict";var Y$=Object.create;var kf=Object.defineProperty;var ej=Object.getOwnPropertyDescriptor;var tj=Object.getOwnPropertyNames;var nj=Object.getPrototypeOf,rj=Object.proto... L3: `,"utf8"),qr.default.renameSync(r,e)}function hb(n){try{let e=qr.default.readFileSync(tE(n),"utf8"),t=JSON.parse(e);if(t&&t.version===1&&(t.extraRoots===void 0||Array.isArray(t.ext... L4: `,"utf8"),qr.default.renameSync(s,t)}function kj(n,e){if(!e)return{canonicalRepoRoot:n,gitCommonDir:null,gitObjectDir:null,fingerprint:`non-git:path:${n}`};let t=nE(e),r=t?yj(t):nu... L5: `)}catch{}try{cE(),Df.default.appendFileSync(aE(),o+` ... L7: `,"utf8")}catch{}}function yb(n){if(Array.isArray(n))return n.map(yb);if(!n||typeof n!="object")return n;let e={};for(let[t,r]of Object.entries(n))e[t]=$j(t)?"[redacted]":yb(r);ret... L8: `).slice(3,3+e).map(r=>r.trim()).join(" | "):"unknown"}catch{return"unknown"}}static canonicalProjectPath(e){return At(e)}static getEngine(e,t){let r=this.canonicalProjectPath(e),s... L9: SELECT ... L19: `)}catch{}}function HE(n){let e=ti.default.resolve(n,"tools/python-indexer/pando_python_worker.py");if(zu.default.existsSync(e))return e;let t=br("python-
Critical
Credential Exfiltration

Source appears to send environment or credential material to an external endpoint.

dist/cli.jsView on unpkg · L1
1Trigger-reachable chain: manifest.bin -> bin/pando-ai.js -> dist/cli.js L1: #!/usr/bin/env node L2: "use strict";var Y$=Object.create;var kf=Object.defineProperty;var ej=Object.getOwnPropertyDescriptor;var tj=Object.getOwnPropertyNames;var nj=Object.getPrototypeOf,rj=Object.proto... L3: `,"utf8"),qr.default.renameSync(r,e)}function hb(n){try{let e=qr.default.readFileSync(tE(n),"utf8"),t=JSON.parse(e);if(t&&t.version===1&&(t.extraRoots===void 0||Array.isArray(t.ext... L4: `,"utf8"),qr.default.renameSync(s,t)}function kj(n,e){if(!e)return{canonicalRepoRoot:n,gitCommonDir:null,gitObjectDir:null,fingerprint:`non-git:path:${n}`};let t=nE(e),r=t?yj(t):nu... L5: `)}catch{}try{cE(),Df.default.appendFileSync(aE(),o+` ... L7: `,"utf8")}catch{}}function yb(n){if(Array.isArray(n))return n.map(yb);if(!n||typeof n!="object")return n;let e={};for(let[t,r]of Object.entries(n))e[t]=$j(t)?"[redacted]":yb(r);ret... L8: `).slice(3,3+e).map(r=>r.trim()).join(" | "):"unknown"}catch{return"unknown"}}static canonicalProjectPath(e){return At(e)}static getEngine(e,t){let r=this.canonicalProjectPath(e),s... L9: SELECT ... L19: `)}catch{}}function HE(n){let e=ti.default.resolve(n,"tools/python-indexer/pando_…
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/cli.jsView on unpkg · L1
972patternName = supabase_service_key severity = critical line = 972 matchedText = `)}catch... in:
Critical
Secret Pattern

Supabase service role key (JWT) in dist/cli.js

dist/cli.jsView on unpkg · L972
550CREATE INDEX IF NOT EXISTS idx_nodes_parent ON nodes(parent_node_id); L551: `)}function Na(n,e,t,r){n.prepare(`PRAGMA table_info("${e.replace(/"/g,'""')}")`).all().some(o=>o.name===t)||n.exec(`ALTER TABLE "${e.replace(/"/g,'""')}" ADD COLUMN ${t} ${r}`)}va... L552: `).slice(0,6).join(`
High
Shell

Package source references shell execution.

dist/cli.jsView on unpkg · L550
901${r.join(` L902: `)}${s}`}function pA(n){if(!Vn(n))return{valid:!1,error:"Operation payload must be an object.",issues:[{param:"operation",code:"invalid_type",message:"Invalid operation payload typ... L903: `,replaceExistingNodeAtPath:!1,expectedHash:"p123:c456"},"add-code":{op:"add-code",to:"src/app.ts#FD:0",code:`const x = 1; L904: `,replaceExistingNodeAtPath:!1,expectedHash:"p123:c456"},replace:{op:"replace",path:"src/app.ts#FD:0",expectedHash:"p123:c456",with:`function app() {} L905: `},"replace-body":{op:"replace-body",path:"src/app.ts#FD:0",expectedHash:"p123:c456",with:"console.log(1);"},"filter-map-reduce":{op:"filter-map-reduce",query:{lang:["ts","js"],sco... L906: `);return t.includes("return results")||t.includes("return items")?"any[]":t.includes("return true")||t.includes("return false")?"boolean":t.includes("return")&&!t.includes("return... L907: `)}hasCompletedIndexRun(){try{let e=this.getIndexingStore();if(e.getIndexingSession()?.run_state==="completed")return!0;let r=e.getIndexerMeta("indexing_session_stats");if(r)try{if... L908: ${l.stderr.trimEnd()}`:"",l.stdout?`stdout: ... L915: `).filter(i=>i),s=Math.min(...r.map(i=>i.length-i.trimStart().length)),o=r.ma
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/cli.jsView on unpkg · L901
1#!/usr/bin/env node L2: "use strict";var Y$=Object.create;var kf=Object.defineProperty;var ej=Object.getOwnPropertyDescriptor;var tj=Object.getOwnPropertyNames;var nj=Object.getPrototypeOf,rj=Object.proto... L3: `,"utf8"),qr.default.renameSync(r,e)}function hb(n){try{let e=qr.default.readFileSync(tE(n),"utf8"),t=JSON.parse(e);if(t&&t.version===1&&(t.extraRoots===void 0||Array.isArray(t.ext... ... L18: `,"utf8"),qf("setEnabledLanguages wrote",{filePath:r,enabledLanguages:t}),_E(t)}var Hf,_b,Lj,ga=ne(()=>{"use strict";Hf=H(require("fs")),_b=H(require("path"));yE();rn();dt();Lj=".p... L19: `)}catch{}}function HE(n){let e=ti.default.resolve(n,"tools/python-indexer/pando_python_worker.py");if(zu.default.existsSync(e))return e;let t=br("python-indexer/pando_python_worke... L20: `)}catch{}}function XE(){for(let n of Wc.values())try{n.close()}catch{}Wc.clear(),Ob.clear()}function Fb(n){let e=process.platform==="win32"?".cmd":"",t=br(`csharp-indexer/bin/pand...
High
Remote Agent Bridge

Source exposes local file and command tools to a remote model endpoint.

dist/cli.jsView on unpkg · L1
1#!/usr/bin/env node L2: "use strict";var Y$=Object.create;var kf=Object.defineProperty;var ej=Object.getOwnPropertyDescriptor;var tj=Object.getOwnPropertyNames;var nj=Object.getPrototypeOf,rj=Object.proto... L3: `,"utf8"),qr.default.renameSync(r,e)}function hb(n){try{let e=qr.default.readFileSync(tE(n),"utf8"),t=JSON.parse(e);if(t&&t.version===1&&(t.extraRoots===void 0||Array.isArray(t.ext... L4: `,"utf8"),qr.default.renameSync(s,t)}function kj(n,e){if(!e)return{canonicalRepoRoot:n,gitCommonDir:null,gitObjectDir:null,fingerprint:`non-git:path:${n}`};let t=nE(e),r=t?yj(t):nu... L5: `)}catch{}try{cE(),Df.default.appendFileSync(aE(),o+` ... L7: `,"utf8")}catch{}}function yb(n){if(Array.isArray(n))return n.map(yb);if(!n||typeof n!="object")return n;let e={};for(let[t,r]of Object.entries(n))e[t]=$j(t)?"[redacted]":yb(r);ret... L8: `).slice(3,3+e).map(r=>r.trim()).join(" | "):"unknown"}catch{return"unknown"}}static canonicalProjectPath(e){return At(e)}static getEngine(e,t){let r=this.canonicalProjectPath(e),s... L9: SELECT ... L19: `)}catch{}}function HE(n){let e=ti.default.resolve(n,"tools/python-indexer/pando_python_worker.py");if(zu.default.existsSync(e))return e;let t=br("python-
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/cli.jsView on unpkg · L1
dist/workers/chunk-7AHKQTIK.mjsView file
1import{b as i}from"./chunk-RRIZV7YJ.mjs";import{DatabaseSync as u}from"node:sqlite";var r,s,p,l=i(()=>{"use strict";r=class{constructor(t){this.statement=t}run(...t){let e=this.sta...
High
Child Process

Package source references child process execution.

dist/workers/chunk-7AHKQTIK.mjsView on unpkg · L1
bin/pando-ai.jsView file
57L58: require("../dist/cli.js");
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/pando-ai.jsView on unpkg · L57
dist/workers/chunk-CGVA3QGF.mjsView file
1import{b as k}from"./chunk-RRIZV7YJ.mjs";var O=k(()=>{"use strict"});import s from"path";import $ from"os";import l from"fs";import E from"crypto";function D(){return process.env.P... L2: `,"utf8"),l.renameSync(e,n)}function B(t,n){if(!n)return{canonicalRepoRoot:t,gitCommonDir:null,gitObjectDir:null,fingerprint:`non-git:path:${t}`};let r=_(n),e=r?G(r):null,o=e?T(e):... L3: `)}catch{}try{et(),j.appendFileSync(Q(),i+`
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/workers/chunk-CGVA3QGF.mjsView on unpkg · L1
tools/clang-indexer/bin/pando-clang-indexerView file
path = tools/clang-indexer/bin/pando-clang-indexer kind = native_binary sizeBytes = 60304 magicHex = [redacted]
Medium
Ships Native Binary

Package ships native binary artifacts.

tools/clang-indexer/bin/pando-clang-indexerView on unpkg
tools/clojure-indexer/bin/pando-clojure-indexer.cmdView file
path = tools/clojure-indexer/bin/pando-clojure-indexer.cmd kind = build_helper sizeBytes = 673 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

tools/clojure-indexer/bin/pando-clojure-indexer.cmdView on unpkg
tools/clojure-indexer/lib/pando-clojure-indexer-standalone.jarView file
path = tools/clojure-indexer/lib/pando-clojure-indexer-standalone.jar kind = high_entropy_blob sizeBytes = 18662327 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

tools/clojure-indexer/lib/pando-clojure-indexer-standalone.jarView on unpkg
path = tools/clojure-indexer/lib/pando-clojure-indexer-standalone.jar kind = compressed_blob sizeBytes = 18662327 magicHex = [redacted]
Medium
Ships Compressed Blob

Package ships compressed or archive-like blobs.

tools/clojure-indexer/lib/pando-clojure-indexer-standalone.jarView on unpkg
path = tools/clojure-indexer/lib/pando-clojure-indexer-standalone.jar kind = nested_archive_needs_inspection sizeBytes = 18662327 magicHex = [redacted]
Low
Nested Archive Needs Inspection

Package ships a nested archive or MCP bundle that was inventoried but not recursively analyzed.

tools/clojure-indexer/lib/pando-clojure-indexer-standalone.jarView on unpkg
dist/watcher-process.jsView file
path = dist/watcher-process.js kind = oversized_source_file sizeBytes = 11422479 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/watcher-process.jsView on unpkg
dist/security-daemon.jsView file
path = dist/security-daemon.js kind = oversized_cli_entrypoint sizeBytes = 11616841 magicHex = [redacted]
Medium
Oversized Cli Entrypoint

Package contains an oversized executable-looking CLI entrypoint.

dist/security-daemon.jsView on unpkg

Findings

5 Critical6 High9 Medium6 Low
CriticalCritical Secretdist/cli.js
CriticalSame File Env Network Executiondist/cli.js
CriticalCredential Exfiltrationdist/cli.js
CriticalTrigger Reachable Dangerous Capabilitydist/cli.js
CriticalSecret Patterndist/cli.js
HighChild Processdist/workers/chunk-7AHKQTIK.mjs
HighShelldist/cli.js
HighCommand Output Exfiltrationdist/cli.js
HighRemote Agent Bridgedist/cli.js
HighShips High Entropy Blobtools/clojure-indexer/lib/pando-clojure-indexer-standalone.jar
HighOversized Source Filedist/watcher-process.js
MediumDynamic Requirebin/pando-ai.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/cli.js
MediumShips Native Binarytools/clang-indexer/bin/pando-clang-indexer
MediumShips Build Helpertools/clojure-indexer/bin/pando-clojure-indexer.cmd
MediumShips Compressed Blobtools/clojure-indexer/lib/pando-clojure-indexer-standalone.jar
MediumOversized Cli Entrypointdist/security-daemon.js
MediumStructural Risk Force Deep Review
LowScripts Present
LowWeak Cryptodist/workers/chunk-CGVA3QGF.mjs
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNested Archive Needs Inspectiontools/clojure-indexer/lib/pando-clojure-indexer-standalone.jar