registry  /  quadwork  /  2.4.0

quadwork@2.4.0

⚠ Under review

Unified dashboard for multi-agent coding teams — 4 AI agents, one terminal

Static Scan Results

scanned 3h ago · by rust-scanner

Static analysis flagged 15 finding(s) at 86.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 46 file(s), 1.73 MB of source, external domains: 127.0.0.1, api.telegram.org, cli.github.com, discord.com, discord.gg, github.com, nextjs.org, nodejs.org, raw.githubusercontent.com, react.dev

Source & flagged code

7 flagged · loading source
bin/quadwork.jsView file
2L3: const { execFileSync, spawn } = require("child_process"); L4: const fs = require("fs");
High
Child Process

Package source references child process execution.

bin/quadwork.jsView on unpkg · L2
2L3: const { execFileSync, spawn } = require("child_process"); L4: const fs = require("fs"); ... L11: L12: const CONFIG_DIR = path.join(os.homedir(), ".quadwork"); L13: const CONFIG_PATH = path.join(CONFIG_DIR, "config.json"); ... L25: L26: const isTTY = process.stdout.isTTY; L27: const c = isTTY ? { ... L51: const id = setInterval(() => { L52: process.stdout.write(`\r ${c.cyan}${frames[i++ % frames.length]}${c.reset} ${msg}`); L53: }, 80);
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

bin/quadwork.jsView on unpkg · L2
295log(""); L296: log(` → /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.[redacted].sh)"`); L297: log(""); L298: log("After installing, close and reopen your terminal, then run:"); L299: log(" → npx quadwork init"); L300: console.log("");
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

bin/quadwork.jsView on unpkg · L295
2L3: const { execFileSync, spawn } = require("child_process"); L4: const fs = require("fs");
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/quadwork.jsView on unpkg · L2
server/routes.jsView file
5const express = require("express"); L6: const { execFile: _execFileCb, execFileSync, spawn } = require("child_process"); L7: const _execFileAsync = require("util").promisify(_execFileCb); ... L23: L24: const CONFIG_DIR = path.join(os.homedir(), ".quadwork"); L25: const CONFIG_PATH = path.join(CONFIG_DIR, "config.json"); ... L91: // rate_limit endpoint is itself exempt — zero budget cost. L92: const { stdout } = await _execFileAsync("gh", [ L93: "api", "rate_limit", "--jq", ... L95: ], { encoding: "utf-8", timeout: 10000 }); L96: const data = JSON.parse(stdout); L97: _rateLimit.limit = data.core.limit;
Critical
Command Output Exfiltration

Source executes local commands and sends command output to an external endpoint.

server/routes.jsView on unpkg · L5
2575// path off GraphQL. L2576: await ghJsonExecAsync(["api", `repos/${repo}/issues/${first}`, "--jq", ".number"]); L2577: return "fresh";
High
Shell

Package source references shell execution.

server/routes.jsView on unpkg · L2575
out/_next/static/media/5ce348bf30bf5439-s.0zgw-jeven.3w.woff2View file
path = out/_next/static/media/5ce348bf30bf5439-s.0zgw-jeven.3w.woff2 kind = high_entropy_blob sizeBytes = 6204 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

out/_next/static/media/5ce348bf30bf5439-s.0zgw-jeven.3w.woff2View on unpkg

Findings

1 Critical5 High4 Medium5 Low
CriticalCommand Output Exfiltrationserver/routes.js
HighChild Processbin/quadwork.js
HighShellserver/routes.js
HighSandbox Evasion Gated Capabilitybin/quadwork.js
HighRuntime Package Installbin/quadwork.js
HighShips High Entropy Blobout/_next/static/media/5ce348bf30bf5439-s.0zgw-jeven.3w.woff2
MediumDynamic Requirebin/quadwork.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings