registry  /  tide-commander  /  1.129.1

tide-commander@1.129.1

Visual multi-agent orchestrator and manager for Claude Code with 3D/2D interface

Static Scan Results

scanned 11h ago · by rust-scanner

Static analysis flagged 16 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedObfuscatedProtestwareUrlStrings
ManifestNo manifest risk signals triggered.
scanned 353 file(s), 7.17 MB of source, external domains: 127.0.0.1, admin.google.com, api.anthropic.com, api.bitbucket.org, api.github.com, bitbucket.org, claude.ai, commander.local, console.cloud.google.com, example.com, github.com, id.atlassian.com, kenney.nl, kroki.io, ns.adobe.com, react.dev, registry.npmjs.org, wiki.example.com, www.googleapis.com, www.gstatic.com, www.w3.org, www.xfa.org, yourcompany.atlassian.net
Oversized source lightweight scan
dist/assets/main-ChEsMqV1.js2.71 MB file, sampled 256 KB
NetworkHighEntropyStringsMinifiedUrlStringsreact.dev

Source & flagged code

7 flagged · loading source
dist/assets/index-v31fNaZP.jsView file
5patternName = private_key_openssh severity = critical line = 5 matchedText = NODE_ENV...in(`
Critical
Critical Secret

Package contains a critical-looking secret pattern.

dist/assets/index-v31fNaZP.jsView on unpkg · L5
5patternName = private_key_openssh severity = critical line = 5 matchedText = NODE_ENV...in(`
Critical
Secret Pattern

OpenSSH private key in dist/assets/index-v31fNaZP.js

dist/assets/index-v31fNaZP.jsView on unpkg · L5
dist/assets/pdf.worker.min-FHbmGBN0.mjsView file
24* pdfjsBuild = ada343803 L25: */const e=!("object"!=typeof process||process+""!="[object process]"||process.versions.nw||process.versions.electron&&process.type&&"browser"!==process.type),t=[.001,0,0,.001,0,0],... L26: /*webpackIgnore: true*/
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/assets/pdf.worker.min-FHbmGBN0.mjsView on unpkg · L24
24* pdfjsBuild = ada343803 L25: */const e=!("object"!=typeof process||process+""!="[object process]"||process.versions.nw||process.versions.electron&&process.type&&"browser"!==process.type),t=[.001,0,0,.001,0,0],... L26: /*webpackIgnore: true*/
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/assets/pdf.worker.min-FHbmGBN0.mjsView on unpkg · L24
dist/src/packages/server/integrations/whatsapp/whatsapp-trigger-handler.jsView file
134direction: payload.direction, L135: body: payload.body, L136: messageType: payload.mediaType ?? 'text', ... L573: // Protocol-relative; pick scheme from baseUrl. L574: const scheme = baseUrl.startsWith('https://') ? 'https:' : 'http:'; L575: return scheme + url;
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/src/packages/server/integrations/whatsapp/whatsapp-trigger-handler.jsView on unpkg · L134
scripts/krunner/install-krunner-integration.shView file
path = scripts/krunner/install-krunner-integration.sh kind = build_helper sizeBytes = 1784 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

scripts/krunner/install-krunner-integration.shView on unpkg
dist/assets/main-ChEsMqV1.jsView file
path = dist/assets/main-ChEsMqV1.js kind = oversized_source_file sizeBytes = 2838638 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/assets/main-ChEsMqV1.jsView on unpkg

Findings

2 Critical1 High6 Medium7 Low
CriticalCritical Secretdist/assets/index-v31fNaZP.js
CriticalSecret Patterndist/assets/index-v31fNaZP.js
HighOversized Source Filedist/assets/main-ChEsMqV1.js
MediumDynamic Requiredist/assets/pdf.worker.min-FHbmGBN0.mjs
MediumNetwork
MediumEnvironment Vars
MediumProtestware
MediumShips Build Helperscripts/krunner/install-krunner-integration.sh
MediumStructural Risk Force Deep Review
LowScripts Present
LowEvaldist/assets/pdf.worker.min-FHbmGBN0.mjs
LowWeak Cryptodist/src/packages/server/integrations/whatsapp/whatsapp-trigger-handler.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings