registry  /  userelay  /  0.4.6

userelay@0.4.6

One MCP server. 40 tools. One command: npx userelay

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 11 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 12 file(s), 51.0 KB of source, external domains: api.github.com, github.com

Source & flagged code

4 flagged · loading source
package.jsonView file
scripts.postinstall = node ./bin/install.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node ./bin/install.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
bin/install.jsView file
5const path = require("path"); L6: const { spawnSync } = require("child_process"); L7: const { ... L27: force: false, L28: version: process.env.RELAY_VERSION || PACKAGE_VERSION, L29: }; ... L92: L93: const stderr = result.stderr ? result.stderr.toString().trim() : ""; L94: const stdout = result.stdout ? result.stdout.toString().trim() : ""; ... L107: async function getLatestReleaseVersion() { L108: const release = await downloadJson(`https://api.github.com/repos/${REPO}/releases/latest`); L109: const version = `${release.tag_name || ""}`.replace(/^v/, "");
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

bin/install.jsView on unpkg · L5
bin/run.jsView file
matchType = previous_version_dangerous_delta matchedPackage = userelay@0.4.4 matchedIdentity = npm:dXNlcmVsYXk:0.4.4 similarity = 0.750 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

bin/run.jsView on unpkg

Findings

3 High4 Medium4 Low
HighInstall Time Lifecycle Scriptspackage.json
HighSandbox Evasion Gated Capabilitybin/install.js
HighPrevious Version Dangerous Deltabin/run.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings