registry  /  xtrm-tools  /  0.10.2

xtrm-tools@0.10.2

Claude Code tools installer (skills, hooks, MCP servers)

Static Scan Results

scanned 1d ago · by rust-scanner

Static analysis completed at 65.0% confidence. No malicious behavior was detected; 13 low-signal pattern(s) were surfaced and cleared.

Static reason
No blocking static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 49 file(s), 476 KB of source, external domains: chat.qwen.ai, dashscope.aliyuncs.com, github.com, mcp.grep.app, registry.npmjs.org, xtrm.dev
Oversized source lightweight scan
cli/dist/index.cjs2.77 MB file, sampled 256 KB
FilesystemChildProcessEnvironmentVarsCryptoHighEntropyStringsUrlStringsgithub.comregistry.npmjs.orgxtrm.dev

Source & flagged code

5 flagged · loading source
packages/pi-extensions/extensions/xtrm-ui/index.tsView file
175const componentPath = join(dirname(entryPath), "modes", "interactive", "components", "assistant-message.js"); L176: const mod = await import(pathToFileURL(componentPath).href) as { L177: AssistantMessageComponent?: AssistantMessageComponentCtor;
Medium
Dynamic Require

Package source references dynamic require/import behavior.

packages/pi-extensions/extensions/xtrm-ui/index.tsView on unpkg · L175
.xtrm/hooks/quality-check.pyView file
path = .xtrm/hooks/quality-check.py kind = payload_in_excluded_dir sizeBytes = 13403 magicHex = [redacted]
High
Payload In Excluded Dir

Package hides binary, compressed, or executable-looking payloads in test/fixture/hidden paths.

.xtrm/hooks/quality-check.pyView on unpkg
path = .xtrm/hooks/quality-check.py kind = build_helper sizeBytes = 13403 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

.xtrm/hooks/quality-check.pyView on unpkg
cli/dist/index.cjsView file
path = cli/dist/index.cjs kind = oversized_source_file sizeBytes = 2907496 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

cli/dist/index.cjsView on unpkg
path = cli/dist/index.cjs kind = oversized_cli_entrypoint sizeBytes = 2907496 magicHex = [redacted]
Medium
Oversized Cli Entrypoint

Package contains an oversized executable-looking CLI entrypoint.

cli/dist/index.cjsView on unpkg

Findings

2 High6 Medium5 Low
HighPayload In Excluded Dir.xtrm/hooks/quality-check.py
HighOversized Source Filecli/dist/index.cjs
MediumDynamic Requirepackages/pi-extensions/extensions/xtrm-ui/index.ts
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helper.xtrm/hooks/quality-check.py
MediumOversized Cli Entrypointcli/dist/index.cjs
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings