registry  /  volute  /  0.40.2

volute@0.40.2

CLI for creating and managing self-modifying AI minds powered by the Claude Agent SDK

Static Scan Results

scanned 4d ago · by rust-scanner

Static analysis flagged 21 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedObfuscatedTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 182 file(s), 2.11 MB of source, external domains: 127.0.0.1, api.anthropic.com, api.telegram.org, discord.com, en.wikipedia.org, github.com, jimmy.warting.se, openrouter.ai, registry.npmjs.org, slack.com, svelte.dev, volute.systems, www.adobe.com, www.apple.com, www.brucelindbloom.com, www.w3.org
Oversized source lightweight scan
dist/src-OS75U2O7.js9.28 MB file, sampled 256 KB
FilesystemNetworkChildProcessEnvironmentVarsShellHighEntropyStringsTelemetryUrlStringsen.wikipedia.orggithub.comjimmy.warting.sewww.adobe.comwww.brucelindbloom.comwww.w3.org

Source & flagged code

11 flagged · loading source
dist/chunk-I57LLNAQ.jsView file
7// [redacted].ts L8: import { execFileSync } from "child_process"; L9: import { existsSync, mkdirSync, readdirSync, readFileSync, statSync, writeFileSync } from "fs";
High
Child Process

Package source references child process execution.

dist/chunk-I57LLNAQ.jsView on unpkg · L7
dist/status-BRYYYO7C.jsView file
94}); L95: var run = cmd.execute; L96: async function getServiceInfo() {
High
Shell

Package source references shell execution.

dist/status-BRYYYO7C.jsView on unpkg · L94
dist/chunk-ZOI6D2YH.jsView file
789try { L790: const { getSleepManagerIfReady: getSleepManagerIfReady2 } = await import("./sleep-manager-TTNOLIX5.js"); L791: const sleepState = getSleepManagerIfReady2()?.getState(name);
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/chunk-ZOI6D2YH.jsView on unpkg · L789
dist/chunk-TOANT6FD.jsView file
11// [redacted]-install.ts L12: import { execFile } from "child_process"; L13: import { mkdirSync, writeFileSync } from "fs"; ... L37: if (opts?.host) args.push("--host", opts.host); L38: const logPath = resolve(homedir(), ".volute", "system", "daemon.log"); L39: return `<?xml version="1.0" encoding="UTF-8"?> ... L84: const voluteBin = resolveVoluteBin(); L85: const platform = process.platform; L86: if (platform === "darwin") { ... L90: try { L91: await execFileAsync("launchctl", ["bootout", `${uid}/${LAUNCHD_PLIST_LABEL}`]); L92: } catch {
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/chunk-TOANT6FD.jsView on unpkg · L11
dist/daemon.jsView file
452); L453: const daemonToken = process.env.VOLUTE_DAEMON_TOKEN; L454: if (!daemonToken) { ... L461: ...process.env, L462: VOLUTE_DAEMON_URL: `http://${daemonLoopback()}:${daemonPort}`, L463: VOLUTE_DAEMON_TOKEN: daemonToken, ... L467: }; L468: const child = spawn(process.execPath, [builtinBridge], spawnOpts); L469: let lastStderr = "";
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/daemon.jsView on unpkg · L452
461...process.env, L462: VOLUTE_DAEMON_URL: `http://${daemonLoopback()}:${daemonPort}`, L463: VOLUTE_DAEMON_TOKEN: daemonToken, ... L467: }; L468: const child = spawn(process.execPath, [builtinBridge], spawnOpts); L469: let lastStderr = ""; L470: child.stdout?.pipe(logStream); L471: child.stderr?.on("data", (chunk) => { L472: logStream.write(chunk); L473: lastStderr = chunk.toString().trim();
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/daemon.jsView on unpkg · L461
7050const [cmd, args] = await wrapForIsolation("npm", ["install"], mindName); L7051: await exec(cmd, args, { L7052: cwd: variantDir, ... L7059: const msg = e instanceof Error ? e.message : String(e); L7060: return c.json({ error: `npm install failed: ${msg}` }, 500); L7061: }
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/daemon.jsView on unpkg · L7050
dist/skills/dreaming/scripts/wake-context-dreams.shView file
path = [redacted]-context-dreams.sh kind = build_helper sizeBytes = 1180 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

dist/skills/dreaming/scripts/wake-context-dreams.shView on unpkg
templates/_base/.init/.local/hooks/wake-context.shView file
path = templates/_base/.init/.local/hooks/wake-context.sh kind = payload_in_excluded_dir sizeBytes = 421 magicHex = [redacted]
High
Payload In Excluded Dir

Package hides binary, compressed, or executable-looking payloads in test/fixture/hidden paths.

templates/_base/.init/.local/hooks/wake-context.shView on unpkg
dist/src-OS75U2O7.jsView file
path = dist/src-OS75U2O7.js kind = oversized_source_file sizeBytes = 9731133 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/src-OS75U2O7.jsView on unpkg
path = dist/src-OS75U2O7.js kind = oversized_cli_entrypoint sizeBytes = 9731133 magicHex = [redacted]
Medium
Oversized Cli Entrypoint

Package contains an oversized executable-looking CLI entrypoint.

dist/src-OS75U2O7.jsView on unpkg

Findings

7 High7 Medium7 Low
HighChild Processdist/chunk-I57LLNAQ.js
HighShelldist/status-BRYYYO7C.js
HighSame File Env Network Executiondist/daemon.js
HighCommand Output Exfiltrationdist/daemon.js
HighRuntime Package Installdist/daemon.js
HighPayload In Excluded Dirtemplates/_base/.init/.local/hooks/wake-context.sh
HighOversized Source Filedist/src-OS75U2O7.js
MediumDynamic Requiredist/chunk-ZOI6D2YH.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/chunk-TOANT6FD.js
MediumShips Build Helperdist/skills/dreaming/scripts/wake-context-dreams.sh
MediumOversized Cli Entrypointdist/src-OS75U2O7.js
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings