registry  /  psycgod-sage-js  /  1.0.7

psycgod-sage-js@1.0.7

Smart Agent Guidance Engine - CLI wrapper with 97% compression for AI coding agents

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 11 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 28 file(s), 101 KB of source, external domains: sage-api.pascoaldsouza28.workers.dev, sage.api.marketingstudios.in

Source & flagged code

3 flagged · loading source
dist/agents/security.jsView file
46const antiPatterns = [ L47: { pattern: /eval\s*\(/g, type: 'eval() usage', risk: 'Code injection vulnerability' }, L48: { pattern: /innerHTML\s*=/g, type: 'innerHTML assignment', risk: 'XSS vulnerability' },
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/agents/security.jsView on unpkg · L46
dist/api/connect.jsView file
1// SAGE API Connection - Matches Python telemetry.py machine-login L2: import { execSync } from 'child_process'; L3: import { homedir, platform, hostname as getHostname, networkInterfaces, release } from 'os'; ... L9: // Match Python telemetry.py URLs exactly L10: const DEFAULT_API_BASE_URL = 'https://sage.api.marketingstudios.in'; L11: const FALLBACK_API_BASE_URL = 'https://sage-api.pascoaldsouza28.workers.dev'; ... L13: function getMachineFingerprint() { L14: const hostname = getHostname(); L15: let machineId = ''; ... L106: }, L107: body: JSON.stringify(payload), L108: signal: AbortSignal.timeout(15000),
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/api/connect.jsView on unpkg · L1
matchType = previous_version_dangerous_delta matchedPackage = psycgod-sage-js@1.0.5 matchedIdentity = npm:cHN5Y2dvZC1zYWdlLWpz:1.0.5 similarity = 0.929 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/api/connect.jsView on unpkg

Findings

2 High3 Medium6 Low
HighSandbox Evasion Gated Capabilitydist/api/connect.js
HighPrevious Version Dangerous Deltadist/api/connect.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvaldist/agents/security.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings