registry  /  twining-mcp  /  1.21.1

twining-mcp@1.21.1

Agent coordination MCP server and Claude Code plugin — shared blackboard, decision tracking, and context assembly

Static Scan Results

scanned 1d ago · by rust-scanner

Static analysis flagged 9 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 69 file(s), 2.51 MB of source, external domains: 127.0.0.1, momentjs.com, us.i.posthog.com

Source & flagged code

1 flagged · loading source
dist/analytics/telemetry-client.jsView file
14import { POSTHOG_API_KEY as BAKED_POSTHOG_KEY } from "./_generated-posthog-key.js"; L15: const DEFAULT_POSTHOG_HOST = "https://us.i.posthog.com"; L16: export class TelemetryClient { ... L25: // Gate: respect DO_NOT_TRACK L26: if (process.env.DO_NOT_TRACK === "1") L27: return false; L28: // Gate: auto-disable in CI L29: if (process.env.CI === "true") L30: return false; ... L37: this.distinctId = createHash("sha256") L38: .update(os.hostname() + projectRoot) L39: .digest("hex")
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/analytics/telemetry-client.jsView on unpkg · L14

Findings

1 High3 Medium5 Low
HighSandbox Evasion Gated Capabilitydist/analytics/telemetry-client.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings