registry  /  poe-code  /  3.0.414

poe-code@3.0.414

CLI tool to configure Poe API for developer workflows.

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 19 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsObfuscatedUrlStrings
Manifest
WildcardDependency
scanned 1,377 file(s), 18.5 MB of source, external domains: 127.0.0.1, api.anthropic.com, api.duckduckgo.com, api.example.com, api.forgeyard.invalid, api.github.com, api.openai.com, api.poe.com, auth.example.com, claude.ai, cursor.com, example.com, example.test, github.com, json-schema.org, mock.invalid, opencode.ai, podman.io, poe-code.dev, poe-platform.github.io, poe.com, registry.npmjs.org, resource.example.com, www.docker.com, www.w3.org
Oversized source lightweight scan
dist/index.js4.60 MB file, sampled 256 KB
FilesystemChildProcessEnvironmentVarsShellHighEntropyStringsUrlStringsgithub.comjson-schema.orgpoe-platform.github.iopoe.com

Source & flagged code

9 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall-sync-skills.mjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
dist/bin/poe-opencode.jsView file
8} L9: import { spawn } from "node:child_process"; L10: import path from "node:path";
High
Child Process

Package source references child process execution.

dist/bin/poe-opencode.jsView on unpkg · L8
dist/providers/opencode.jsView file
5121{ id: "r", aliases: ["r", "rscript"], family: "lexical", spec: "r" }, L5122: { id: "powershell", aliases: ["ps1", "powershell", "pwsh"], family: "lexical", spec: "powershell" }, L5123: { id: "elixir", aliases: ["ex", "exs", "elixir"], family: "lexical", spec: "elixir" },
High
Shell

Package source references shell execution.

dist/providers/opencode.jsView on unpkg · L5121
dist/cli/commands/runtime/build.jsView file
118async function loadE2bRunnerModule() { L119: const dynamicImport = new Function("specifier", "return import(specifier)"); L120: try {
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/cli/commands/runtime/build.jsView on unpkg · L118
dist/providers/poe-agent.jsView file
472spawn as spawnChildProcess L473: } from "node:child_process"; L474: function assertExtensionMethod(method) { ... L16671: summary: "Route AI coding agents through Poe's API.", L16672: baseUrl: "https://api.poe.com", L16673: agentBaseUrl: "https://api.poe.com", ... L29202: try { L29203: writeFileSync(filePath, serializeDockerEnvFile(entries), { L29204: encoding: "utf8", ... L51214: `, L51215: agent: `Review the requested pull request directly without orchestrating other agents. Read the pull request context with the available tools, then create exactly one review draft ... L51216:
High
Remote Agent Bridge

Source exposes local file and command tools to a remote model endpoint.

dist/providers/poe-agent.jsView on unpkg · L472
14}; L15: var __commonJS = (cb, mod) => function __require() { L16: try {
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/providers/poe-agent.jsView on unpkg · L14
packages/terminal-pilot/dist/testing/qa-cli.jsView file
13989// src/commands/daemon-runtime.ts L13990: import { spawn as spawn3 } from "node:child_process"; L13991: import { createHash as createHash2 } from "node:crypto"; L13992: import { mkdir as mkdir2, unlink as unlink2 } from "node:fs/promises"; L13993: import net from "node:net"; L13994: import os4 from "node:os"; ... L14004: const runtime = createTerminalPilotRuntime(); L14005: const socketPath = resolveSocketPath(process.env); L14006: await mkdir2(path14.dirname(socketPath), { recursive: true });
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

packages/terminal-pilot/dist/testing/qa-cli.jsView on unpkg · L13989
packages/e2e-test-runner/dist/preflight.jsView file
1import { execSync } from 'node:child_process'; L2: import { access, mkdtemp, rm } from 'node:fs/promises'; ... L86: message: error instanceof Error ? error.message : 'Podman not installed', L87: fix: 'Install Podman: https://podman.io/docs/installation', L88: }; ... L106: try { L107: if (process.platform === 'darwin') { L108: execSync('sandbox-exec -V', { stdio: 'ignore' }); ... L153: const home = await mkdtemp(TEMP_HOME_PREFIX); L154: const workspace = getWorkspaceDir() ?? process.cwd(); L155: const env = buildIsolatedHostEnv(home, workspace); ... L168: function buildIsolatedHostEnv(home, workspace) {
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

packages/e2e-test-runner/dist/preflight.jsView on unpkg · L1
dist/index.jsView file
path = dist/index.js kind = oversized_source_file sizeBytes = 4822898 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/index.jsView on unpkg

Findings

7 High5 Medium7 Low
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processdist/bin/poe-opencode.js
HighShelldist/providers/opencode.js
HighSame File Env Network Executionpackages/terminal-pilot/dist/testing/qa-cli.js
HighSandbox Evasion Gated Capabilitypackages/e2e-test-runner/dist/preflight.js
HighRemote Agent Bridgedist/providers/poe-agent.js
HighOversized Source Filedist/index.js
MediumDynamic Requiredist/providers/poe-agent.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
MediumWildcard Dependency
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvaldist/cli/commands/runtime/build.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings