registry  /  tolingclaw  /  1.0.47

tolingclaw@1.0.47

跨境电商轻量智能体框架

Static Scan Results

scanned 3h ago · by rust-scanner

Static analysis flagged 14 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 51 file(s), 1.05 MB of source, external domains: api.deepseek.com, coding.dashscope.aliyuncs.com, dashscope.aliyuncs.com, github.com, token-plan.cn-beijing.maas.aliyuncs.com, toling.me, vuejs.org, www.w3.org
Oversized source lightweight scan
src/ControlUI/dist/assets/index-DZyM5dLW.js2.57 MB file, sampled 256 KB
NetworkChildProcessHighEntropyStringsMinifiedUrlStringsvuejs.orgwww.w3.org

Source & flagged code

7 flagged · loading source
package.jsonView file
scripts.postinstall = node bin/postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node bin/postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
src/modules/db.cjsView file
5patternName = generic_password severity = medium line = 5 matchedText = password...4s',
Medium
Secret Pattern

Package contains a possible secret pattern.

src/modules/db.cjsView on unpkg · L5
bin/tolingclaw.jsView file
116L117: const { main } = await import(pathToFileURL(mainPath).href); L118: await main();
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/tolingclaw.jsView on unpkg · L116
bin/desktop-start.batView file
path = bin/desktop-start.bat kind = build_helper sizeBytes = 1310 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

bin/desktop-start.batView on unpkg
src/ControlUI/dist/assets/index-DZyM5dLW.jsView file
path = src/ControlUI/dist/assets/index-DZyM5dLW.js kind = oversized_source_file sizeBytes = 2690945 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

src/ControlUI/dist/assets/index-DZyM5dLW.jsView on unpkg
src/agent.jsView file
matchType = previous_version_dangerous_delta matchedPackage = tolingclaw@1.0.46 matchedIdentity = npm:dG9saW5nY2xhdw:1.0.46 similarity = 0.941 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

src/agent.jsView on unpkg

Findings

3 High7 Medium4 Low
HighInstall Time Lifecycle Scriptspackage.json
HighOversized Source Filesrc/ControlUI/dist/assets/index-DZyM5dLW.js
HighPrevious Version Dangerous Deltasrc/agent.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumSecret Patternsrc/modules/db.cjs
MediumDynamic Requirebin/tolingclaw.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperbin/desktop-start.bat
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings