registry  /  typeclaw  /  0.42.1

typeclaw@0.42.1

<p align="center"> <img src="./docs/public/typeclaw-transparent.png" alt="TypeClaw logo" width="240" /> </p>

Static Scan Results

scanned 5d ago · by rust-scanner

Static analysis flagged 16 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
Manifest
WildcardDependency
scanned 603 file(s), 4.75 MB of source, external domains: 127.0.0.1, api.anthropic.com, api.deepseek.com, api.fireworks.ai, api.github.com, api.kimi.com, api.minimax.io, api.moonshot.ai, api.openai.com, api.slack.com, api.telegram.org, api.x.ai, api.z.ai, auth.x.ai, bun.sh, chatgpt.com, claude.ai, cli.github.com, console.anthropic.com, console.x.ai, developer.webex.com, discord.com, docs.docker.com, docs.z.ai, en.wikipedia.org, example.com, example.invalid, fireworks.ai, github.com, lite.duckduckgo.com, models.dev, orbstack.dev, platform.deepseek.com, platform.minimax.io, platform.moonshot.ai, platform.openai.com, registry.npmjs.org, slack.com, t.me, www.kimi.com

Source & flagged code

8 flagged · loading source
package.jsonView file
scripts.postinstall = bun run scripts/generate-schema.ts
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = bun run scripts/generate-schema.ts
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
src/channels/adapters/github/auth-app.tsView file
160patternName = private_key_rsa severity = critical line = 160 matchedText = // GitHu...-`),
Critical
Critical Secret

Package contains a critical-looking secret pattern.

src/channels/adapters/github/auth-app.tsView on unpkg · L160
160patternName = private_key_rsa severity = critical line = 160 matchedText = // GitHu...-`),
Critical
Secret Pattern

RSA private key in src/channels/adapters/github/auth-app.ts

src/channels/adapters/github/auth-app.tsView on unpkg · L160
src/config/config.tsView file
matchType = previous_version_dangerous_delta matchedPackage = typeclaw@0.42.0 matchedIdentity = npm:dHlwZWNsYXc:0.42.0 similarity = 0.892 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

src/config/config.tsView on unpkg
1529// decode + a real exec sink (or decode piped to an interpreter, below). L1530: const EXEC_PRIMITIVES = ['exec(', 'eval(', 'new function(', 'function('] L1531:
Low
Eval

Package source references a known benign dynamic code generation pattern.

src/config/config.tsView on unpkg · L1529
src/plugin/loader.tsView file
63} L64: const mod = (await import(toModuleSpecifier(resolved))) as { default?: unknown } L65: const defined = expectDefined(mod, entry)
Medium
Dynamic Require

Package source references dynamic require/import behavior.

src/plugin/loader.tsView on unpkg · L63
scripts/verify-procbind-sandbox.shView file
path = scripts/verify-procbind-sandbox.sh kind = build_helper sizeBytes = 2752 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

scripts/verify-procbind-sandbox.shView on unpkg

Findings

2 Critical2 High7 Medium5 Low
CriticalCritical Secretsrc/channels/adapters/github/auth-app.ts
CriticalSecret Patternsrc/channels/adapters/github/auth-app.ts
HighInstall Time Lifecycle Scriptspackage.json
HighPrevious Version Dangerous Deltasrc/config/config.ts
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requiresrc/plugin/loader.ts
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperscripts/verify-procbind-sandbox.sh
MediumStructural Risk Force Deep Review
MediumWildcard Dependency
LowScripts Present
LowEvalsrc/config/config.ts
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings