registry  /  shine-code-submit  /  1.0.8

shine-code-submit@1.0.8

⚠ Under review

Claude Code Hook -> 本地常驻 Daemon 的状态/持久化底座

Static Scan Results

scanned 10h ago · by rust-scanner

Static analysis flagged 17 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 77 file(s), 509 KB of source, external domains: 47.98.221.20, bun.sh, github.com, react.dev, registry.npmjs.org, www.w3.org

Source & flagged code

8 flagged · loading source
bin/launcher.cjsView file
11// 确保交互式 claude 里一定能看到(systemMessage 字段已被验证会显示)。 L12: const { spawn, spawnSync } = require("node:child_process"); L13: const readline = require("node:readline");
High
Child Process

Package source references child process execution.

bin/launcher.cjsView on unpkg · L11
1#!/usr/bin/env node L2: // shine-code-submit hook 平台分发器(.cjs 强制 CommonJS,兼容所有 node,不依赖 package.json)。 L3: // Claude Code 经 hooks.json 以 `node launcher.cjs <Event>` 调用(exec form,不经 shell)。 ... L7: // L8: // ⚠️ Claude Code 的 SessionStart hook 把 stdout 当【单个 JSON 对象】解析(提取 systemMessage 展示)。 L9: // 所以:① 进度/提示绝不能写 stdout(混入纯文本会让整个 stdout JSON 解析失败、链接也不显示)——走 stderr + 日志。 ... L11: // 确保交互式 claude 里一定能看到(systemMessage 字段已被验证会显示)。 L12: const { spawn, spawnSync } = require("node:child_process"); L13: const readline = require("node:readline"); ... L17: L18: const here = __dirname; // .../bin/ L19: const plat = process.platform === "win32" ? "windows" : process.platform; // darwin | linux | windows
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

bin/launcher.cjsView on unpkg · L1
src/install/bun.tsView file
46function runShell(cmd: string): number { L47: return spawnSync(cmd, { shell: true, encoding: "utf8", timeout: INSTALL_TIMEOUT_MS, stdio: "inherit" }).status ?? 1; L48: }
High
Shell

Package source references shell execution.

src/install/bun.tsView on unpkg · L46
src/shared/id.tsView file
1// 稳定事件 id:基于事件内容派生(而非 hook 进程随机生成),用于幂等去重。 L2: // 同一语义事件即使被多个 hook 进程采集(如 settings.json + plugin 双注册,
Low
Weak Crypto

Package source references weak cryptographic algorithms.

src/shared/id.tsView on unpkg · L1
dist/install.cjsView file
matchType = previous_version_dangerous_delta matchedPackage = shine-code-submit@1.0.1 matchedIdentity = npm:c2hpbmUtY29kZS1zdWJtaXQ:1.0.1 similarity = 0.747 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/install.cjsView on unpkg
1#!/usr/bin/env node L2: var N=require("node:fs"),X1=require("node:path"),Y1=require("node:child_process");var m=require("node:fs"),h=require("node:os"),y=require("node:path"),v=require("node:child_process... L3:
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/install.cjsView on unpkg · L1
1#!/usr/bin/env node L2: var N=require("node:fs"),X1=require("node:path"),Y1=require("node:child_process");var m=require("node:fs"),h=require("node:os"),y=require("node:path"),v=require("node:child_process... L3:
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/install.cjsView on unpkg · L1
src/shared/daemonctl.tsView file
56// 用 process.execPath(hook/cli 由 bun 跑时即 bun.exe 完整路径),不靠 PATH/PATHEXT 解析—— L57: // Windows 上 bun 进程内 spawn("bun") 不查 PATHEXT 会 ENOENT(Linux 无此问题) L58: spawn(process.execPath, ["run", daemonSrc], { detached: true, stdio: "ignore", windowsHide: true }).unref(); ... L60: } catch (err) { L61: process.stderr.write(`[shine-code-submit] spawn daemon failed: ${safeMsg(err)}\n`); L62: } ... L70: try { L71: await fetch(`${BASE_URL}/api/shutdown`, { L72: method: "POST",
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

src/shared/daemonctl.tsView on unpkg · L56

Findings

1 Critical6 High3 Medium7 Low
CriticalPrevious Version Dangerous Deltadist/install.cjs
HighChild Processbin/launcher.cjs
HighShellsrc/install/bun.ts
HighSame File Env Network Executiondist/install.cjs
HighCommand Output Exfiltrationsrc/shared/daemonctl.ts
HighSandbox Evasion Gated Capabilitybin/launcher.cjs
HighRuntime Package Installdist/install.cjs
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowWeak Cryptosrc/shared/id.ts
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings