registry  /  the-campfire  /  0.4.2

the-campfire@0.4.2

Campfire — collaborative web platform for AI coding agents. Run Claude Code, Codex, Goose, Aider, and more from one browser UI with real-time collaboration, permission voting, and automation.

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 13 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedObfuscatedTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 169 file(s), 5.12 MB of source, external domains: 127.0.0.1, api.anthropic.com, api.example.com, api.linear.app, api.openai.com, app.posthog.com, cdn.jsdelivr.net, chevrotain.io, en.wikipedia.org, github.com, hooks.slack.com, jquery.org, langium.org, openrouter.ai, platform.claude.com, posthog.com, react.dev, registry.npmjs.org, sentry.io, tldrlegal.com, www.apple.com, www.moltbook.com, www.w3.org, yandex.com

Source & flagged code

3 flagged · loading source
server/service.tsView file
9import { homedir } from "node:os"; L10: import { execFileSync } from "node:child_process"; L11: import { DEFAULT_PORT } from "./constants.js"; ... L15: L16: const CAMPFIRE_DIR = join(homedir(), ".campfire"); L17: const LOG_DIR = join(CAMPFIRE_DIR, "logs"); L18: const STDOUT_LOG = join(LOG_DIR, "campfire.log"); L19: const STDERR_LOG = join(LOG_DIR, "campfire.error.log"); ... L23: const BIN_WHICH = "/usr/bin/which"; L24: const BIN_LAUNCHCTL = "/bin/launchctl"; L25: const BIN_SYSTEMCTL = "/usr/bin/systemctl"; ... L44: function ensureSupportedPlatform(): void {
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

server/service.tsView on unpkg · L9
server/usage-limits.tsView file
1import { execSync, execFileSync } from "node:child_process"; L2: import { existsSync, readFileSync } from "node:fs"; ... L16: L17: const OAUTH_TOKEN_URL = "https://platform.claude.com/v1/oauth/token"; L18: const OAUTH_CLIENT_ID = "9d1c250a-e61b-44d9-88ed-5944d1962f5e"; ... L21: const CACHE_DURATION_MS = 60 * 1000; L22: let cache: { data: UsageLimits; timestamp: number } | null = null; L23: ... L32: try { L33: if (process.platform === "win32") { L34: const home = L35: process.env.USERPROFILE || process.env.HOME || homedir() || "";
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

server/usage-limits.tsView on unpkg · L1
dist/fonts/Geist-Variable.woff2View file
path = dist/fonts/Geist-Variable.woff2 kind = high_entropy_blob sizeBytes = 69436 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

dist/fonts/Geist-Variable.woff2View on unpkg

Findings

2 High4 Medium7 Low
HighSandbox Evasion Gated Capabilityserver/usage-limits.ts
HighShips High Entropy Blobdist/fonts/Geist-Variable.woff2
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistenceserver/service.ts
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings