registry  /  rea-agents  /  1.3.0

rea-agents@1.3.0

Reverse engineer anything from your terminal or agent with one CLI and MCP server.

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 13 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 169 file(s), 886 KB of source, external domains: 127.0.0.1, registry.npmjs.org, www.hopperapp.com

Source & flagged code

5 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/prepare-node-pty.mjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
dist/application/TerminalRenderer.jsView file
1import { createRequire } from "node:module"; L2: const require = createRequire(import.meta.url); L3: // SAFETY: both pinned xterm packages publish CommonJS at runtime and matching declarations.
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/application/TerminalRenderer.jsView on unpkg · L1
dist/application/MacHopper.jsView file
1import { createHash } from "node:crypto"; L2: import { execFile } from "node:child_process"; L3: import { access, mkdir, mkdtemp, readdir, rename, rm, writeFile, } from "node:fs/promises"; ... L8: const execFileAsync = promisify(execFile); L9: const RELEASES_URL = "https://www.hopperapp.com/include/files-api.php?request=releases&public=true"; L10: const DOWNLOAD_PREFIX = "https://www.hopperapp.com:443/downloader/public/"; ... L75: return { ok: false, bytes: new Uint8Array() }; L76: const bytes = new Uint8Array(await response.arrayBuffer()); L77: return { ok: response.ok && bytes.byteLength <= MAX_PACKAGE_BYTES, bytes }; ... L112: join(appPath, "Contents/Info.plist"), L113: ])).stdout.trim(); L114: return identifier === BUNDLE_IDENTIFIER;
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/application/MacHopper.jsView on unpkg · L1
bridge/hopper_bridge.pyView file
path = bridge/hopper_bridge.py kind = build_helper sizeBytes = 37115 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

bridge/hopper_bridge.pyView on unpkg
dist/application/Doctor.jsView file
matchType = previous_version_dangerous_delta matchedPackage = rea-agents@0.5.0 matchedIdentity = npm:cmVhLWFnZW50cw:0.5.0 similarity = 0.350 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/application/Doctor.jsView on unpkg

Findings

2 High5 Medium6 Low
HighInstall Time Lifecycle Scriptspackage.json
HighPrevious Version Dangerous Deltadist/application/Doctor.js
MediumDynamic Requiredist/application/TerminalRenderer.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperbridge/hopper_bridge.py
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowWeak Cryptodist/application/MacHopper.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings