registry  /  psycgod-sage-js  /  1.0.8

psycgod-sage-js@1.0.8

Smart Agent Guidance Engine - CLI wrapper with 97% compression for AI coding agents

Static Scan Results

scanned 3h ago · by rust-scanner

Static analysis flagged 14 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 29 file(s), 115 KB of source, external domains: github.com, sage-api.pascoaldsouza28.workers.dev, sage.api.marketingstudios.in

Source & flagged code

6 flagged · loading source
package.jsonView file
scripts.postinstall = node dist/postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node dist/postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
dist/agents/security.jsView file
46const antiPatterns = [ L47: { pattern: /eval\s*\(/g, type: 'eval() usage', risk: 'Code injection vulnerability' }, L48: { pattern: /innerHTML\s*=/g, type: 'innerHTML assignment', risk: 'XSS vulnerability' },
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/agents/security.jsView on unpkg · L46
dist/postinstall.jsView file
matchType = previous_version_dangerous_delta matchedPackage = psycgod-sage-js@1.0.7 matchedIdentity = npm:cHN5Y2dvZC1zYWdlLWpz:1.0.7 similarity = 0.893 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/postinstall.jsView on unpkg
3// Handles PATH configuration, setup, hooks, and API connection L4: import { execSync, spawnSync } from 'child_process'; L5: import { homedir, userInfo, platform as osPlatform } from 'os'; ... L31: try { L32: return userInfo().username || 'User'; L33: } L34: catch { L35: return process.env.USER || process.env.USERNAME || 'User'; L36: } ... L85: }); L86: if (result.stdout?.includes('ADDED')) { L87: return true;
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/postinstall.jsView on unpkg · L3
dist/api/connect.jsView file
1// SAGE API Connection - Matches Python telemetry.py machine-login L2: import { execSync } from 'child_process'; L3: import { homedir, platform, hostname as getHostname, networkInterfaces, release } from 'os'; ... L9: // Match Python telemetry.py URLs exactly L10: const DEFAULT_API_BASE_URL = 'https://sage.api.marketingstudios.in'; L11: const FALLBACK_API_BASE_URL = 'https://sage-api.pascoaldsouza28.workers.dev'; ... L13: function getMachineFingerprint() { L14: const hostname = getHostname(); L15: let machineId = ''; ... L106: }, L107: body: JSON.stringify(payload), L108: signal: AbortSignal.timeout(15000),
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/api/connect.jsView on unpkg · L1

Findings

3 High5 Medium6 Low
HighInstall Time Lifecycle Scriptspackage.json
HighSandbox Evasion Gated Capabilitydist/api/connect.js
HighPrevious Version Dangerous Deltadist/postinstall.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/postinstall.js
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvaldist/agents/security.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings