registry  /  peerllm-host-cli  /  2.2.0

peerllm-host-cli@2.2.0

⚠ Under review

Command-line PeerLLM host: serve decentralized AI compute from a headless machine.

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 14 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 71 file(s), 445 KB of source, external domains: 127.0.0.1, api.peerllm.com, huggingface.co, nodejs.org, registry.npmjs.org

Source & flagged code

6 flagged · loading source
dist/core/capacity.jsView file
1import { execFile } from "node:child_process"; L2: import { arch as osArch } from "node:os";
High
Child Process

Package source references child process execution.

dist/core/capacity.jsView on unpkg · L1
dist/core/orchestrator.jsView file
matchType = previous_version_dangerous_delta matchedPackage = peerllm-host-cli@2.1.11 matchedIdentity = npm:cGVlcmxsbS1ob3N0LWNsaQ:2.1.11 similarity = 0.958 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/core/orchestrator.jsView on unpkg
812: `npm i -g ${spec} && (systemctl --user restart peerllm-host || true)`; L813: const child = spawn(cmd, { shell: true, detached: true, stdio: "ignore" }); L814: child.unref();
High
Shell

Package source references shell execution.

dist/core/orchestrator.jsView on unpkg · L812
808const spec = version ? `${pkg}@${version}` : `${pkg}@latest`; L809: getLogger().info(`orchestrator: ⬆️ self-update → npm i -g ${spec}, then restart service`); L810: const cmd = osPlatform() === "win32" ... L812: : `npm i -g ${spec} && (systemctl --user restart peerllm-host || true)`; L813: const child = spawn(cmd, { shell: true, detached: true, stdio: "ignore" }); L814: child.unref();
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/core/orchestrator.jsView on unpkg · L808
dist/core/paths.jsView file
4function platformConfigDir() { L5: const home = homedir(); L6: switch (platform()) { ... L9: case "win32": L10: return join(process.env.APPDATA ?? join(home, "AppData", "Roaming"), "PeerLLM"); L11: default:
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/core/paths.jsView on unpkg · L4
templates/windows/install-service.ps1View file
path = templates/windows/install-service.ps1 kind = build_helper sizeBytes = 1194 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

templates/windows/install-service.ps1View on unpkg

Findings

1 Critical3 High4 Medium6 Low
CriticalPrevious Version Dangerous Deltadist/core/orchestrator.js
HighChild Processdist/core/capacity.js
HighShelldist/core/orchestrator.js
HighRuntime Package Installdist/core/orchestrator.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helpertemplates/windows/install-service.ps1
MediumStructural Risk Force Deep Review
LowScripts Present
LowWeak Cryptodist/core/paths.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License