374coverage: 0.95,
L375: note: "string read/write via real navigator.clipboard, image read/write via real ClipboardItem on browsers that expose it (Chromium-based, plus Safari 13.4+). getImageAsync returns...
L376: working: "getStringAsync / setStringAsync / setString / hasStringAsync via navigator.clipboard, getImageAsync returning { data: base64, size: { width, height } } via Clipboard.read...
L377: missing: "external-app clipboard-change events (no browser API), Firefox image read (no Clipboard.read support \u2014 falls back to null/false), text-format edge cases like RTF/HTM...
...
L850: note: "real SQLite via lazy-loaded bedrock-sqlite (~1MB WASM) \u2014 full SQL support including joins, transactions, prepared statements, RETURNING. WASM ships in the runtime tarba...
L851: working: "openDatabaseAsync / openDatabaseSync (real bedrock instance), execAsync / execSync, prepareAsync / prepareSync, runAsync / runSync, getFirstAsync / getFirstSync, getAllAs...
L852: missing: "serializeAsync (bedrock does not expose sqlite3_serialize through its module surface), backupDatabaseAsync, addDatabaseChangeListener (no sqlite3_update_hook bindings), c...
...
L913: coverage: 0.85,
L914: no
CriticalCredential Exfiltration
Source appears to send environment or credential material to an external endpoint.
dist-lib/skills.cjsView on unpkg · L374 374coverage: 0.95,
L375: note: "string read/write via real navigator.clipboard, image read/write via real ClipboardItem on browsers that expose it (Chromium-based, plus Safari 13.4+). getImageAsync returns...
L376: working: "getStringAsync / setStringAsync / setString / hasStringAsync via navigator.clipboard, getImageAsync returning { data: base64, size: { width, height } } via Clipboard.read...
L377: missing: "external-app clipboard-change events (no browser API), Firefox image read (no Clipboard.read support \u2014 falls back to null/false), text-format edge cases like RTF/HTM...
...
L850: note: "real SQLite via lazy-loaded bedrock-sqlite (~1MB WASM) \u2014 full SQL support including joins, transactions, prepared statements, RETURNING. WASM ships in the runtime tarba...
L851: working: "openDatabaseAsync / openDatabaseSync (real bedrock instance), execAsync / execSync, prepareAsync / prepareSync, runAsync / runSync, getFirstAsync / getFirstSync, getAllAs...
L852: missing: "serializeAsync (bedrock does not expose sqlite3_serialize through its module surface), backupDatabaseAsync, addDatabaseChangeListener (no sqlite3_update_hook bindings), c...
...
L913: coverage: 0.85,
L914: no
CriticalGlobal Object Hijack Exfiltration
Source reassigns a global/builtin to a Proxy that forwards intercepted runtime data to an external endpoint.
dist-lib/skills.cjsView on unpkg · L374 374Trigger-reachable chain: manifest.exports -> dist-lib/skills.cjs
L374: coverage: 0.95,
L375: note: "string read/write via real navigator.clipboard, image read/write via real ClipboardItem on browsers that expose it (Chromium-based, plus Safari 13.4+). getImageAsync returns...
L376: working: "getStringAsync / setStringAsync / setString / hasStringAsync via navigator.clipboard, getImageAsync returning { data: base64, size: { width, height } } via Clipboard.read...
L377: missing: "external-app clipboard-change events (no browser API), Firefox image read (no Clipboard.read support \u2014 falls back to null/false), text-format edge cases like RTF/HTM...
...
L850: note: "real SQLite via lazy-loaded bedrock-sqlite (~1MB WASM) \u2014 full SQL support including joins, transactions, prepared statements, RETURNING. WASM ships in the runtime tarba...
L851: working: "openDatabaseAsync / openDatabaseSync (real bedrock instance), execAsync / execSync, prepareAsync / prepareSync, runAsync / runSync, getFirstAsync / getFirstSync, getAllAs...
L852: missing: "serializeAsync (bedrock does not expose sqlite3_serialize through its module surface), backupDatabaseAsync, addDatabaseChangeListener (no sqli…
CriticalTrigger Reachable Dangerous Capability
A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
dist-lib/skills.cjsView on unpkg · L374 16431return vm.runInContext(
L16432: `(function(){ with(__maestroScope){ return eval(\`${escaped}\`) } })()`,
L16433: this.context
374coverage: 0.95,
L375: note: "string read/write via real navigator.clipboard, image read/write via real ClipboardItem on browsers that expose it (Chromium-based, plus Safari 13.4+). getImageAsync returns...
L376: working: "getStringAsync / setStringAsync / setString / hasStringAsync via navigator.clipboard, getImageAsync returning { data: base64, size: { width, height } } via Clipboard.read...
L377: missing: "external-app clipboard-change events (no browser API), Firefox image read (no Clipboard.read support \u2014 falls back to null/false), text-format edge cases like RTF/HTM...
...
L850: note: "real SQLite via lazy-loaded bedrock-sqlite (~1MB WASM) \u2014 full SQL support including joins, transactions, prepared statements, RETURNING. WASM ships in the runtime tarba...
L851: working: "openDatabaseAsync / openDatabaseSync (real bedrock instance), execAsync / execSync, prepareAsync / prepareSync, runAsync / runSync, getFirstAsync / getFirstSync, getAllAs...
L852: missing: "serializeAsync (bedrock does not expose sqlite3_serialize through its module surface), backupDatabaseAsync, addDatabaseChangeListener (no sqlite3_update_hook bindings), c...
...
L913: coverage: 0.85,
L914: no
HighObfuscated Payload Loader
Source contains an obfuscator-style string-array loader that reconstructs and executes hidden code.
dist-lib/skills.cjsView on unpkg · L374 374coverage: 0.95,
L375: note: "string read/write via real navigator.clipboard, image read/write via real ClipboardItem on browsers that expose it (Chromium-based, plus Safari 13.4+). getImageAsync returns...
L376: working: "getStringAsync / setStringAsync / setString / hasStringAsync via navigator.clipboard, getImageAsync returning { data: base64, size: { width, height } } via Clipboard.read...
L377: missing: "external-app clipboard-change events (no browser API), Firefox image read (no Clipboard.read support \u2014 falls back to null/false), text-format edge cases like RTF/HTM...
...
L850: note: "real SQLite via lazy-loaded bedrock-sqlite (~1MB WASM) \u2014 full SQL support including joins, transactions, prepared statements, RETURNING. WASM ships in the runtime tarba...
L851: working: "openDatabaseAsync / openDatabaseSync (real bedrock instance), execAsync / execSync, prepareAsync / prepareSync, runAsync / runSync, getFirstAsync / getFirstSync, getAllAs...
L852: missing: "serializeAsync (bedrock does not expose sqlite3_serialize through its module surface), backupDatabaseAsync, addDatabaseChangeListener (no sqlite3_update_hook bindings), c...
...
L913: coverage: 0.85,
L914: no
MediumUnsafe Vm Context
Package source executes code through a VM context API.
dist-lib/skills.cjsView on unpkg · L374