registry  /  yodaman  /  0.3.4

yodaman@0.3.4

YodaMan — local-first workspace intelligence. AI agent, semantic search, Graphify knowledge graphs, plugins, VS Code extension, mobile companion.

Static Scan Results

scanned 3h ago · by rust-scanner

Static analysis flagged 14 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 32 file(s), 540 KB of source, external domains: 127.0.0.1, ollama.com, reactjs.org, unpkg.com, www.w3.org

Source & flagged code

6 flagged · loading source
start.jsView file
1const { execSync, spawn } = require('child_process'); L2: const fs = require('fs');
High
Child Process

Package source references child process execution.

start.jsView on unpkg · L1
53stdio: 'inherit', L54: shell: true L55: });
High
Shell

Package source references shell execution.

start.jsView on unpkg · L53
1const { execSync, spawn } = require('child_process'); L2: const fs = require('fs');
Medium
Dynamic Require

Package source references dynamic require/import behavior.

start.jsView on unpkg · L1
server.jsView file
6Manifest entrypoint (manifest.main) carries capability families absent from dist/build output: environment+network L6: // Initialize Infrastructure & Services L7: process.env.DOTENVX_QUIET = 'true'; L8: const watcherService = require('./[redacted]'); ... L34: const PORT = Number(process.env.YODAMAN_PORT || 3090); L35: const CONFIG_PATH = process.env.YODAMAN_CONFIG_PATH || path.join(__dirname, 'config.json'); L36: L37: app.use(cors()); L38: app.use(express.json()); L39: app.use(logger.requestId); ... L46: 'Content-Security-Policy', L47: "default-src 'self'; img-src 'self' data:; style-src 'self' 'unsafe-inline'; script-src 'self'; connect-src 'self' http://localhost:* http://127.0.0.1:*" L48: );
High
Entrypoint Build Divergence

Manifest entrypoint contains risky behavior absent from dist/build output.

server.jsView on unpkg · L6
backend/interfaces/RestController.jsView file
5const crypto = require('crypto'); L6: const { execFile } = require('child_process'); L7: ... L29: const router = express.Router(); L30: const DEFAULT_CONFIG_PATH = path.join(__dirname, '../../config.json'); L31: const PLUGINS_DIR = path.resolve(__dirname, '../../plugins'); ... L59: function getConfigPath() { L60: return process.env.YODAMAN_CONFIG_PATH || DEFAULT_CONFIG_PATH; L61: } ... L63: function jsonError(res, status, message, code) { L64: return res.status(status).json({ error: message, code }); L65: }
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

backend/interfaces/RestController.jsView on unpkg · L5
1584const installScript = process.platform === 'darwin' L1585: ? 'npm install -g @context-expert/cli' L1586: : 'npm install -g @context-expert/cli'; ... L1589: L1590: execFile('/bin/sh', ['-c', installScript], { timeout: 120000 }, (err, stdout) => { L1591: if (err) {
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

backend/interfaces/RestController.jsView on unpkg · L1584

Findings

5 High4 Medium5 Low
HighChild Processstart.js
HighShellstart.js
HighEntrypoint Build Divergenceserver.js
HighSandbox Evasion Gated Capabilitybackend/interfaces/RestController.js
HighRuntime Package Installbackend/interfaces/RestController.js
MediumDynamic Requirestart.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings