Back to Dashboard
100
@metorial/oss07377 files scannedMay 21, 2026

Do not install this package

We found dangerous patterns that could harm your computer or steal your data. This package runs hidden code automatically when you install it. Unless you are 100% sure you trust the author and have reviewed the code yourself, do not install this.

What We Found(197 issues)

Each card explains what was found and what it means in plain English. Click "Technical details" for the full breakdown.

CRITICALCRIT-002

DO NOT INSTALL. This package runs code BEFORE you can even see what it does. Almost no legitimate package needs this. It's like a delivery driver demanding to enter your house before you can check what's in the box.

Technical details

Any preinstall script is suspicious. Legitimate packages almost never need to run code before installation. This hook executes before the user can inspect the package.

"preinstall": "[ -f \"
package.json:16
HIGHHIGH-002

Caution. This package can open a terminal on your computer and run any command it wants — with YOUR permissions. It could delete files, install malware, or steal your data without you seeing anything happen.

Technical details

Importing child_process gives the package ability to spawn shell commands. MCP servers should not need to execute arbitrary system commands.

import('child_process'
scripts/generators/src/index.ts:700
HIGHHIGH-002

Caution. This package can open a terminal on your computer and run any command it wants — with YOUR permissions. It could delete files, install malware, or steal your data without you seeing anything happen.

Technical details

Importing child_process gives the package ability to spawn shell commands. MCP servers should not need to execute arbitrary system commands.

import { spawn } from 'child_process'
src/systems/forge/service/src/providers/local/index.ts:1
HIGHHIGH-002

Caution. This package can open a terminal on your computer and run any command it wants — with YOUR permissions. It could delete files, install malware, or steal your data without you seeing anything happen.

Technical details

Importing child_process gives the package ability to spawn shell commands. MCP servers should not need to execute arbitrary system commands.

import { spawn } from 'child_process'
src/systems/function-bay/packages/utils/src/util/command.ts:1
HIGHHIGH-002

Caution. This package can open a terminal on your computer and run any command it wants — with YOUR permissions. It could delete files, install malware, or steal your data without you seeing anything happen.

Technical details

Importing child_process gives the package ability to spawn shell commands. MCP servers should not need to execute arbitrary system commands.

import { spawn } from 'child_process'
src/systems/function-bay/service/src/providers/local/invoke.ts:1
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

execSync(
scripts/generators/src/index.ts:702
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

spawn(
src/systems/forge/service/src/providers/local/index.ts:54
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

spawn(
src/systems/function-bay/packages/utils/src/util/command.ts:26
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

spawn(
src/systems/function-bay/service/src/providers/local/invoke.ts:152
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

exec(
src/systems/subspace/packages/conduit/src/adapters/coordination/redisCoordination.ts:93
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

exec(
src/systems/subspace/packages/conduit/src/adapters/coordination/redisCoordination.ts:114
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

exec(
src/systems/synthesis/service/src/lib/definitions/sandbox.ts:129
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

exec(
src/systems/synthesis/service/src/lib/definitions/sandbox.ts:138
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.PGPASSWORD
scripts/test-tools/src/cli.ts:21
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.CORE_DB_PASSWORD
src/backend/db/prisma.config.ts:9
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.CORE_DB_PASSWORD
src/backend/db/prisma.config.ts:14
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.DATABASE_PASSWORD
src/systems/ares/service/prisma.config.ts:9
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.DATABASE_PASSWORD
src/systems/ares/service/prisma.config.ts:14
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.DATABASE_PASSWORD
src/systems/ares/service/src/init.ts:4
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.DATABASE_PASSWORD
src/systems/ares/service/src/init.ts:12
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.SSO_DATABASE_PASSWORD
src/systems/ares/service/src/init.ts:18
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.SSO_DATABASE_PASSWORD
src/systems/ares/service/src/init.ts:28
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.REDIS_AUTH_TOKEN
src/systems/ares/service/src/init.ts:32
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.REDIS_AUTH_TOKEN
src/systems/ares/service/src/init.ts:38
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.TURNSTILE_SECRET_KEY
src/systems/ares/service/src/lib/turnstile.ts:42
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.DATABASE_PASSWORD
src/systems/cargo/db/prisma.config.ts:9
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.DATABASE_PASSWORD
src/systems/cargo/db/prisma.config.ts:14
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.DATABASE_PASSWORD
src/systems/cargo/service/src/init.ts:4
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.DATABASE_PASSWORD
src/systems/cargo/service/src/init.ts:12
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.DATABASE_PASSWORD
src/systems/forge/service/prisma.config.ts:9
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.DATABASE_PASSWORD
src/systems/forge/service/prisma.config.ts:14
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.DATABASE_PASSWORD
src/systems/forge/service/src/init.ts:4
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.DATABASE_PASSWORD
src/systems/forge/service/src/init.ts:12
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.DATABASE_PASSWORD
src/systems/forge/service/src/init.ts:15
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.REDIS_AUTH_TOKEN
src/systems/forge/service/src/init.ts:20
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.REDIS_AUTH_TOKEN
src/systems/forge/service/src/init.ts:26
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.DATABASE_PASSWORD
src/systems/function-bay/service/prisma.config.ts:9
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.DATABASE_PASSWORD
src/systems/function-bay/service/prisma.config.ts:14
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.DATABASE_PASSWORD
src/systems/function-bay/service/src/init.ts:2
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.DATABASE_PASSWORD
src/systems/function-bay/service/src/init.ts:5
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.REDIS_AUTH_TOKEN
src/systems/function-bay/service/src/init.ts:10
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.DATABASE_PASSWORD
src/systems/origin/apps/service/prisma.config.ts:9
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.DATABASE_PASSWORD
src/systems/origin/apps/service/prisma.config.ts:14
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.DATABASE_PASSWORD
src/systems/origin/apps/service/src/init.ts:2
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.REDIS_AUTH_TOKEN
src/systems/origin/apps/service/src/init.ts:6
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.DATABASE_PASSWORD
src/systems/shuttle/service/prisma.config.ts:9
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.DATABASE_PASSWORD
src/systems/shuttle/service/prisma.config.ts:14
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.DATABASE_PASSWORD
src/systems/shuttle/service/src/init.ts:2
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.DATABASE_PASSWORD
src/systems/shuttle/service/src/init.ts:5
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.REDIS_AUTH_TOKEN
src/systems/shuttle/service/src/init.ts:10
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.DATABASE_PASSWORD
src/systems/signal/service/prisma.config.ts:9
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.DATABASE_PASSWORD
src/systems/signal/service/prisma.config.ts:14
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.DATABASE_PASSWORD
src/systems/signal/service/src/init.ts:4
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.DATABASE_PASSWORD
src/systems/signal/service/src/init.ts:12
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.DATABASE_PASSWORD
src/systems/signal/service/src/init.ts:15
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.REDIS_AUTH_TOKEN
src/systems/signal/service/src/init.ts:20
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.REDIS_AUTH_TOKEN
src/systems/signal/service/src/init.ts:26
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.DATABASE_PASSWORD
src/systems/slates/apps/hub/prisma.config.ts:9
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.DATABASE_PASSWORD
src/systems/slates/apps/hub/prisma.config.ts:14
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.DATABASE_PASSWORD
src/systems/slates/apps/hub/src/init.ts:2
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.DATABASE_PASSWORD
src/systems/slates/apps/hub/src/init.ts:5
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.REDIS_AUTH_TOKEN
src/systems/slates/apps/hub/src/init.ts:10
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.DATABASE_PASSWORD
src/systems/slates/apps/registry/prisma.config.ts:9
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.DATABASE_PASSWORD
src/systems/slates/apps/registry/prisma.config.ts:14
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.DATABASE_PASSWORD
src/systems/slates/apps/registry/src/init.ts:2
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.REDIS_AUTH_TOKEN
src/systems/slates/apps/registry/src/init.ts:6
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.DATABASE_PASSWORD
src/systems/subspace/apps/controller/src/init.ts:2
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.DATABASE_PASSWORD
src/systems/subspace/apps/controller/src/init.ts:5
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.REDIS_AUTH_TOKEN
src/systems/subspace/apps/controller/src/init.ts:10
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.DATABASE_PASSWORD
src/systems/subspace/apps/public/src/init.ts:2
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.DATABASE_PASSWORD
src/systems/subspace/apps/public/src/init.ts:5
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.REDIS_AUTH_TOKEN
src/systems/subspace/apps/public/src/init.ts:10
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.DATABASE_PASSWORD
src/systems/subspace/apps/worker/src/init.ts:2
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.DATABASE_PASSWORD
src/systems/subspace/apps/worker/src/init.ts:5
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.REDIS_AUTH_TOKEN
src/systems/subspace/apps/worker/src/init.ts:10
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.DATABASE_PASSWORD
src/systems/subspace/db/prisma.config.ts:9
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.DATABASE_PASSWORD
src/systems/subspace/db/prisma.config.ts:14
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.DATABASE_PASSWORD
src/systems/synthesis/service/prisma.config.ts:9
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.DATABASE_PASSWORD
src/systems/synthesis/service/prisma.config.ts:14
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.DATABASE_PASSWORD
src/systems/synthesis/service/src/init.ts:8
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.DATABASE_PASSWORD
src/systems/synthesis/service/src/init.ts:16
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.REDIS_AUTH_TOKEN
src/systems/synthesis/service/src/init.ts:23
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.REDIS_AUTH_TOKEN
src/systems/synthesis/service/src/init.ts:29
MEDIUMMED-002

Risky. This package doesn't lock its dependency versions. That means if one of its dependencies gets hacked tomorrow, you'd automatically download the hacked version. Good packages always pin their versions.

Technical details

Using '*' or 'latest' as a dependency version means any future version will be installed automatically — including compromised ones.

"latest"
scripts/dev-tools/package.json:9
MEDIUMMED-002

Risky. This package doesn't lock its dependency versions. That means if one of its dependencies gets hacked tomorrow, you'd automatically download the hacked version. Good packages always pin their versions.

Technical details

Using '*' or 'latest' as a dependency version means any future version will be installed automatically — including compromised ones.

"latest"
scripts/generators/package.json:18
MEDIUMMED-002

Risky. This package doesn't lock its dependency versions. That means if one of its dependencies gets hacked tomorrow, you'd automatically download the hacked version. Good packages always pin their versions.

Technical details

Using '*' or 'latest' as a dependency version means any future version will be installed automatically — including compromised ones.

"latest"
scripts/test-tools/package.json:9
MEDIUMMED-002

Risky. This package doesn't lock its dependency versions. That means if one of its dependencies gets hacked tomorrow, you'd automatically download the hacked version. Good packages always pin their versions.

Technical details

Using '*' or 'latest' as a dependency version means any future version will be installed automatically — including compromised ones.

"latest"
src/frontend/state/package.json:20
MEDIUMMED-002

Risky. This package doesn't lock its dependency versions. That means if one of its dependencies gets hacked tomorrow, you'd automatically download the hacked version. Good packages always pin their versions.

Technical details

Using '*' or 'latest' as a dependency version means any future version will be installed automatically — including compromised ones.

"latest"
src/systems/ares/service/package.json:33
MEDIUMMED-002

Risky. This package doesn't lock its dependency versions. That means if one of its dependencies gets hacked tomorrow, you'd automatically download the hacked version. Good packages always pin their versions.

Technical details

Using '*' or 'latest' as a dependency version means any future version will be installed automatically — including compromised ones.

"latest"
src/systems/cargo/db/package.json:15
MEDIUMMED-002

Risky. This package doesn't lock its dependency versions. That means if one of its dependencies gets hacked tomorrow, you'd automatically download the hacked version. Good packages always pin their versions.

Technical details

Using '*' or 'latest' as a dependency version means any future version will be installed automatically — including compromised ones.

"latest"
src/systems/cargo/modules/doc/package.json:12
MEDIUMMED-002

Risky. This package doesn't lock its dependency versions. That means if one of its dependencies gets hacked tomorrow, you'd automatically download the hacked version. Good packages always pin their versions.

Technical details

Using '*' or 'latest' as a dependency version means any future version will be installed automatically — including compromised ones.

"latest"
src/systems/cargo/modules/file/package.json:12
MEDIUMMED-002

Risky. This package doesn't lock its dependency versions. That means if one of its dependencies gets hacked tomorrow, you'd automatically download the hacked version. Good packages always pin their versions.

Technical details

Using '*' or 'latest' as a dependency version means any future version will be installed automatically — including compromised ones.

"latest"
src/systems/cargo/modules/search/package.json:10
MEDIUMMED-002

Risky. This package doesn't lock its dependency versions. That means if one of its dependencies gets hacked tomorrow, you'd automatically download the hacked version. Good packages always pin their versions.

Technical details

Using '*' or 'latest' as a dependency version means any future version will be installed automatically — including compromised ones.

"latest"
src/systems/cargo/modules/skill/package.json:12
MEDIUMMED-002

Risky. This package doesn't lock its dependency versions. That means if one of its dependencies gets hacked tomorrow, you'd automatically download the hacked version. Good packages always pin their versions.

Technical details

Using '*' or 'latest' as a dependency version means any future version will be installed automatically — including compromised ones.

"latest"
src/systems/cargo/modules/store/package.json:12
MEDIUMMED-002

Risky. This package doesn't lock its dependency versions. That means if one of its dependencies gets hacked tomorrow, you'd automatically download the hacked version. Good packages always pin their versions.

Technical details

Using '*' or 'latest' as a dependency version means any future version will be installed automatically — including compromised ones.

"latest"
src/systems/cargo/packages/list-utils/package.json:12
MEDIUMMED-002

Risky. This package doesn't lock its dependency versions. That means if one of its dependencies gets hacked tomorrow, you'd automatically download the hacked version. Good packages always pin their versions.

Technical details

Using '*' or 'latest' as a dependency version means any future version will be installed automatically — including compromised ones.

"latest"
src/systems/cargo/service/package.json:33
MEDIUMMED-002

Risky. This package doesn't lock its dependency versions. That means if one of its dependencies gets hacked tomorrow, you'd automatically download the hacked version. Good packages always pin their versions.

Technical details

Using '*' or 'latest' as a dependency version means any future version will be installed automatically — including compromised ones.

"latest"
src/systems/forge/service/package.json:29
MEDIUMMED-002

Risky. This package doesn't lock its dependency versions. That means if one of its dependencies gets hacked tomorrow, you'd automatically download the hacked version. Good packages always pin their versions.

Technical details

Using '*' or 'latest' as a dependency version means any future version will be installed automatically — including compromised ones.

"latest"
src/systems/function-bay/packages/nodejs/package.json:30
MEDIUMMED-002

Risky. This package doesn't lock its dependency versions. That means if one of its dependencies gets hacked tomorrow, you'd automatically download the hacked version. Good packages always pin their versions.

Technical details

Using '*' or 'latest' as a dependency version means any future version will be installed automatically — including compromised ones.

"latest"
src/systems/function-bay/service/package.json:29
MEDIUMMED-002

Risky. This package doesn't lock its dependency versions. That means if one of its dependencies gets hacked tomorrow, you'd automatically download the hacked version. Good packages always pin their versions.

Technical details

Using '*' or 'latest' as a dependency version means any future version will be installed automatically — including compromised ones.

"latest"
src/systems/origin/apps/code-bucket/package.json:13
MEDIUMMED-002

Risky. This package doesn't lock its dependency versions. That means if one of its dependencies gets hacked tomorrow, you'd automatically download the hacked version. Good packages always pin their versions.

Technical details

Using '*' or 'latest' as a dependency version means any future version will be installed automatically — including compromised ones.

"*"
src/systems/origin/apps/code-workspace/package.json:14
MEDIUMMED-002

Risky. This package doesn't lock its dependency versions. That means if one of its dependencies gets hacked tomorrow, you'd automatically download the hacked version. Good packages always pin their versions.

Technical details

Using '*' or 'latest' as a dependency version means any future version will be installed automatically — including compromised ones.

"*"
src/systems/origin/apps/code-workspace/package.json:15
MEDIUMMED-002

Risky. This package doesn't lock its dependency versions. That means if one of its dependencies gets hacked tomorrow, you'd automatically download the hacked version. Good packages always pin their versions.

Technical details

Using '*' or 'latest' as a dependency version means any future version will be installed automatically — including compromised ones.

"*"
src/systems/origin/apps/code-workspace/package.json:19
MEDIUMMED-002

Risky. This package doesn't lock its dependency versions. That means if one of its dependencies gets hacked tomorrow, you'd automatically download the hacked version. Good packages always pin their versions.

Technical details

Using '*' or 'latest' as a dependency version means any future version will be installed automatically — including compromised ones.

"latest"
src/systems/origin/apps/service/package.json:18
MEDIUMMED-002

Risky. This package doesn't lock its dependency versions. That means if one of its dependencies gets hacked tomorrow, you'd automatically download the hacked version. Good packages always pin their versions.

Technical details

Using '*' or 'latest' as a dependency version means any future version will be installed automatically — including compromised ones.

"latest"
src/systems/shuttle/service/package.json:32
MEDIUMMED-002

Risky. This package doesn't lock its dependency versions. That means if one of its dependencies gets hacked tomorrow, you'd automatically download the hacked version. Good packages always pin their versions.

Technical details

Using '*' or 'latest' as a dependency version means any future version will be installed automatically — including compromised ones.

"latest"
src/systems/signal/service/package.json:28
MEDIUMMED-002

Risky. This package doesn't lock its dependency versions. That means if one of its dependencies gets hacked tomorrow, you'd automatically download the hacked version. Good packages always pin their versions.

Technical details

Using '*' or 'latest' as a dependency version means any future version will be installed automatically — including compromised ones.

"latest"
src/systems/slates/apps/hub/package.json:33
MEDIUMMED-002

Risky. This package doesn't lock its dependency versions. That means if one of its dependencies gets hacked tomorrow, you'd automatically download the hacked version. Good packages always pin their versions.

Technical details

Using '*' or 'latest' as a dependency version means any future version will be installed automatically — including compromised ones.

"latest"
src/systems/slates/apps/hub/package.json:86
MEDIUMMED-002

Risky. This package doesn't lock its dependency versions. That means if one of its dependencies gets hacked tomorrow, you'd automatically download the hacked version. Good packages always pin their versions.

Technical details

Using '*' or 'latest' as a dependency version means any future version will be installed automatically — including compromised ones.

"latest"
src/systems/slates/apps/registry/package.json:27
MEDIUMMED-002

Risky. This package doesn't lock its dependency versions. That means if one of its dependencies gets hacked tomorrow, you'd automatically download the hacked version. Good packages always pin their versions.

Technical details

Using '*' or 'latest' as a dependency version means any future version will be installed automatically — including compromised ones.

"latest"
src/systems/subspace/apps/controller/package.json:28
MEDIUMMED-002

Risky. This package doesn't lock its dependency versions. That means if one of its dependencies gets hacked tomorrow, you'd automatically download the hacked version. Good packages always pin their versions.

Technical details

Using '*' or 'latest' as a dependency version means any future version will be installed automatically — including compromised ones.

"latest"
src/systems/subspace/apps/dev/package.json:19
MEDIUMMED-002

Risky. This package doesn't lock its dependency versions. That means if one of its dependencies gets hacked tomorrow, you'd automatically download the hacked version. Good packages always pin their versions.

Technical details

Using '*' or 'latest' as a dependency version means any future version will be installed automatically — including compromised ones.

"latest"
src/systems/subspace/apps/public/package.json:20
MEDIUMMED-002

Risky. This package doesn't lock its dependency versions. That means if one of its dependencies gets hacked tomorrow, you'd automatically download the hacked version. Good packages always pin their versions.

Technical details

Using '*' or 'latest' as a dependency version means any future version will be installed automatically — including compromised ones.

"latest"
src/systems/subspace/apps/worker/package.json:14
MEDIUMMED-002

Risky. This package doesn't lock its dependency versions. That means if one of its dependencies gets hacked tomorrow, you'd automatically download the hacked version. Good packages always pin their versions.

Technical details

Using '*' or 'latest' as a dependency version means any future version will be installed automatically — including compromised ones.

"latest"
src/systems/subspace/db/package.json:14
MEDIUMMED-002

Risky. This package doesn't lock its dependency versions. That means if one of its dependencies gets hacked tomorrow, you'd automatically download the hacked version. Good packages always pin their versions.

Technical details

Using '*' or 'latest' as a dependency version means any future version will be installed automatically — including compromised ones.

"latest"
src/systems/subspace/modules/search/package.json:10
MEDIUMMED-002

Risky. This package doesn't lock its dependency versions. That means if one of its dependencies gets hacked tomorrow, you'd automatically download the hacked version. Good packages always pin their versions.

Technical details

Using '*' or 'latest' as a dependency version means any future version will be installed automatically — including compromised ones.

"latest"
src/systems/subspace/packages/conduit/package.json:16
MEDIUMMED-002

Risky. This package doesn't lock its dependency versions. That means if one of its dependencies gets hacked tomorrow, you'd automatically download the hacked version. Good packages always pin their versions.

Technical details

Using '*' or 'latest' as a dependency version means any future version will be installed automatically — including compromised ones.

"latest"
src/systems/subspace/packages/connection-utils/package.json:10
MEDIUMMED-002

Risky. This package doesn't lock its dependency versions. That means if one of its dependencies gets hacked tomorrow, you'd automatically download the hacked version. Good packages always pin their versions.

Technical details

Using '*' or 'latest' as a dependency version means any future version will be installed automatically — including compromised ones.

"latest"
src/systems/subspace/packages/generator/package.json:10
MEDIUMMED-002

Risky. This package doesn't lock its dependency versions. That means if one of its dependencies gets hacked tomorrow, you'd automatically download the hacked version. Good packages always pin their versions.

Technical details

Using '*' or 'latest' as a dependency version means any future version will be installed automatically — including compromised ones.

"latest"
src/systems/subspace/packages/list-utils/package.json:12
MEDIUMMED-002

Risky. This package doesn't lock its dependency versions. That means if one of its dependencies gets hacked tomorrow, you'd automatically download the hacked version. Good packages always pin their versions.

Technical details

Using '*' or 'latest' as a dependency version means any future version will be installed automatically — including compromised ones.

"latest"
src/systems/subspace/packages/presenters/package.json:10
MEDIUMMED-002

Risky. This package doesn't lock its dependency versions. That means if one of its dependencies gets hacked tomorrow, you'd automatically download the hacked version. Good packages always pin their versions.

Technical details

Using '*' or 'latest' as a dependency version means any future version will be installed automatically — including compromised ones.

"latest"
src/systems/subspace/packages/redis-url/package.json:10
MEDIUMMED-002

Risky. This package doesn't lock its dependency versions. That means if one of its dependencies gets hacked tomorrow, you'd automatically download the hacked version. Good packages always pin their versions.

Technical details

Using '*' or 'latest' as a dependency version means any future version will be installed automatically — including compromised ones.

"latest"
src/systems/subspace/packages/retry-utils/package.json:10
MEDIUMMED-002

Risky. This package doesn't lock its dependency versions. That means if one of its dependencies gets hacked tomorrow, you'd automatically download the hacked version. Good packages always pin their versions.

Technical details

Using '*' or 'latest' as a dependency version means any future version will be installed automatically — including compromised ones.

"latest"
src/systems/subspace/packages/store/package.json:10
MEDIUMMED-002

Risky. This package doesn't lock its dependency versions. That means if one of its dependencies gets hacked tomorrow, you'd automatically download the hacked version. Good packages always pin their versions.

Technical details

Using '*' or 'latest' as a dependency version means any future version will be installed automatically — including compromised ones.

"latest"
src/systems/subspace/provider-backends/provider-manager/package.json:10
MEDIUMMED-002

Risky. This package doesn't lock its dependency versions. That means if one of its dependencies gets hacked tomorrow, you'd automatically download the hacked version. Good packages always pin their versions.

Technical details

Using '*' or 'latest' as a dependency version means any future version will be installed automatically — including compromised ones.

"latest"
src/systems/subspace/provider-backends/provider-native/package.json:10
MEDIUMMED-002

Risky. This package doesn't lock its dependency versions. That means if one of its dependencies gets hacked tomorrow, you'd automatically download the hacked version. Good packages always pin their versions.

Technical details

Using '*' or 'latest' as a dependency version means any future version will be installed automatically — including compromised ones.

"latest"
src/systems/subspace/provider-backends/provider-shuttle/package.json:10
MEDIUMMED-002

Risky. This package doesn't lock its dependency versions. That means if one of its dependencies gets hacked tomorrow, you'd automatically download the hacked version. Good packages always pin their versions.

Technical details

Using '*' or 'latest' as a dependency version means any future version will be installed automatically — including compromised ones.

"latest"
src/systems/subspace/provider-backends/provider-slates/package.json:10
MEDIUMMED-002

Risky. This package doesn't lock its dependency versions. That means if one of its dependencies gets hacked tomorrow, you'd automatically download the hacked version. Good packages always pin their versions.

Technical details

Using '*' or 'latest' as a dependency version means any future version will be installed automatically — including compromised ones.

"latest"
src/systems/subspace/provider-backends/provider-utils/package.json:10
MEDIUMMED-002

Risky. This package doesn't lock its dependency versions. That means if one of its dependencies gets hacked tomorrow, you'd automatically download the hacked version. Good packages always pin their versions.

Technical details

Using '*' or 'latest' as a dependency version means any future version will be installed automatically — including compromised ones.

"latest"
src/systems/subspace/test-servers/package.json:11
MEDIUMMED-002

Risky. This package doesn't lock its dependency versions. That means if one of its dependencies gets hacked tomorrow, you'd automatically download the hacked version. Good packages always pin their versions.

Technical details

Using '*' or 'latest' as a dependency version means any future version will be installed automatically — including compromised ones.

"latest"
src/systems/synthesis/service/package.json:26
MEDIUMMED-003

Suspicious. This package downloads code from paste sites or raw URLs instead of using normal package managers. This is a common trick to sneak in malicious code that doesn't show up in the package itself.

Technical details

Network requests to paste sites or raw GitHub content may indicate payload downloading. Legitimate dependencies use npm, not pastebins.

raw.githubusercontent
src/systems/ares/service/src/apis/sso/templates/index.ts:9
MEDIUMMED-003

Suspicious. This package downloads code from paste sites or raw URLs instead of using normal package managers. This is a common trick to sneak in malicious code that doesn't show up in the package itself.

Technical details

Network requests to paste sites or raw GitHub content may indicate payload downloading. Legitimate dependencies use npm, not pastebins.

raw.githubusercontent
src/systems/ares/service/src/apis/sso/templates/index.ts:15
MEDIUMMED-003

Suspicious. This package downloads code from paste sites or raw URLs instead of using normal package managers. This is a common trick to sneak in malicious code that doesn't show up in the package itself.

Technical details

Network requests to paste sites or raw GitHub content may indicate payload downloading. Legitimate dependencies use npm, not pastebins.

raw.githubusercontent
src/systems/ares/service/src/apis/sso/templates/index.ts:21
MEDIUMMED-003

Suspicious. This package downloads code from paste sites or raw URLs instead of using normal package managers. This is a common trick to sneak in malicious code that doesn't show up in the package itself.

Technical details

Network requests to paste sites or raw GitHub content may indicate payload downloading. Legitimate dependencies use npm, not pastebins.

raw.githubusercontent
src/systems/ares/service/src/apis/sso/templates/index.ts:25
MEDIUMMED-003

Suspicious. This package downloads code from paste sites or raw URLs instead of using normal package managers. This is a common trick to sneak in malicious code that doesn't show up in the package itself.

Technical details

Network requests to paste sites or raw GitHub content may indicate payload downloading. Legitimate dependencies use npm, not pastebins.

raw.githubusercontent
src/systems/ares/service/src/apis/sso/templates/index.ts:29
MEDIUMMED-003

Suspicious. This package downloads code from paste sites or raw URLs instead of using normal package managers. This is a common trick to sneak in malicious code that doesn't show up in the package itself.

Technical details

Network requests to paste sites or raw GitHub content may indicate payload downloading. Legitimate dependencies use npm, not pastebins.

raw.githubusercontent
src/systems/ares/service/src/apis/sso/templates/index.ts:45
MEDIUMMED-003

Suspicious. This package downloads code from paste sites or raw URLs instead of using normal package managers. This is a common trick to sneak in malicious code that doesn't show up in the package itself.

Technical details

Network requests to paste sites or raw GitHub content may indicate payload downloading. Legitimate dependencies use npm, not pastebins.

raw.githubusercontent
src/systems/ares/service/src/apis/sso/templates/index.ts:51
MEDIUMMED-003

Suspicious. This package downloads code from paste sites or raw URLs instead of using normal package managers. This is a common trick to sneak in malicious code that doesn't show up in the package itself.

Technical details

Network requests to paste sites or raw GitHub content may indicate payload downloading. Legitimate dependencies use npm, not pastebins.

raw.githubusercontent
src/systems/ares/service/src/apis/sso/templates/index.ts:55
MEDIUMMED-003

Suspicious. This package downloads code from paste sites or raw URLs instead of using normal package managers. This is a common trick to sneak in malicious code that doesn't show up in the package itself.

Technical details

Network requests to paste sites or raw GitHub content may indicate payload downloading. Legitimate dependencies use npm, not pastebins.

raw.githubusercontent
src/systems/ares/service/src/apis/sso/templates/index.ts:61
MEDIUMMED-003

Suspicious. This package downloads code from paste sites or raw URLs instead of using normal package managers. This is a common trick to sneak in malicious code that doesn't show up in the package itself.

Technical details

Network requests to paste sites or raw GitHub content may indicate payload downloading. Legitimate dependencies use npm, not pastebins.

raw.githubusercontent
src/systems/ares/service/src/apis/sso/templates/index.ts:65
MEDIUMMED-003

Suspicious. This package downloads code from paste sites or raw URLs instead of using normal package managers. This is a common trick to sneak in malicious code that doesn't show up in the package itself.

Technical details

Network requests to paste sites or raw GitHub content may indicate payload downloading. Legitimate dependencies use npm, not pastebins.

raw.githubusercontent
src/systems/ares/service/src/apis/sso/templates/index.ts:74
MEDIUMMED-003

Suspicious. This package downloads code from paste sites or raw URLs instead of using normal package managers. This is a common trick to sneak in malicious code that doesn't show up in the package itself.

Technical details

Network requests to paste sites or raw GitHub content may indicate payload downloading. Legitimate dependencies use npm, not pastebins.

raw.githubusercontent
src/systems/ares/service/src/apis/sso/templates/index.ts:80
MEDIUMMED-003

Suspicious. This package downloads code from paste sites or raw URLs instead of using normal package managers. This is a common trick to sneak in malicious code that doesn't show up in the package itself.

Technical details

Network requests to paste sites or raw GitHub content may indicate payload downloading. Legitimate dependencies use npm, not pastebins.

raw.githubusercontent
src/systems/ares/service/src/apis/sso/templates/index.ts:91
MEDIUMMED-003

Suspicious. This package downloads code from paste sites or raw URLs instead of using normal package managers. This is a common trick to sneak in malicious code that doesn't show up in the package itself.

Technical details

Network requests to paste sites or raw GitHub content may indicate payload downloading. Legitimate dependencies use npm, not pastebins.

raw.githubusercontent
src/systems/ares/service/src/apis/sso/templates/index.ts:95
MEDIUMMED-003

Suspicious. This package downloads code from paste sites or raw URLs instead of using normal package managers. This is a common trick to sneak in malicious code that doesn't show up in the package itself.

Technical details

Network requests to paste sites or raw GitHub content may indicate payload downloading. Legitimate dependencies use npm, not pastebins.

raw.githubusercontent
src/systems/ares/service/src/apis/sso/templates/index.ts:151
MEDIUMMED-003

Suspicious. This package downloads code from paste sites or raw URLs instead of using normal package managers. This is a common trick to sneak in malicious code that doesn't show up in the package itself.

Technical details

Network requests to paste sites or raw GitHub content may indicate payload downloading. Legitimate dependencies use npm, not pastebins.

raw.githubusercontent
src/systems/ares/service/src/apis/sso/templates/index.ts:155
MEDIUMMED-003

Suspicious. This package downloads code from paste sites or raw URLs instead of using normal package managers. This is a common trick to sneak in malicious code that doesn't show up in the package itself.

Technical details

Network requests to paste sites or raw GitHub content may indicate payload downloading. Legitimate dependencies use npm, not pastebins.

raw.githubusercontent
src/systems/ares/service/src/apis/sso/templates/index.ts:161
MEDIUMMED-003

Suspicious. This package downloads code from paste sites or raw URLs instead of using normal package managers. This is a common trick to sneak in malicious code that doesn't show up in the package itself.

Technical details

Network requests to paste sites or raw GitHub content may indicate payload downloading. Legitimate dependencies use npm, not pastebins.

raw.githubusercontent
src/systems/ares/service/src/apis/sso/templates/index.ts:170
MEDIUMMED-003

Suspicious. This package downloads code from paste sites or raw URLs instead of using normal package managers. This is a common trick to sneak in malicious code that doesn't show up in the package itself.

Technical details

Network requests to paste sites or raw GitHub content may indicate payload downloading. Legitimate dependencies use npm, not pastebins.

raw.githubusercontent
src/systems/ares/service/src/apis/sso/templates/index.ts:184
MEDIUMMED-003

Suspicious. This package downloads code from paste sites or raw URLs instead of using normal package managers. This is a common trick to sneak in malicious code that doesn't show up in the package itself.

Technical details

Network requests to paste sites or raw GitHub content may indicate payload downloading. Legitimate dependencies use npm, not pastebins.

raw.githubusercontent
src/systems/ares/service/src/apis/sso/templates/index.ts:188
MEDIUMMED-003

Suspicious. This package downloads code from paste sites or raw URLs instead of using normal package managers. This is a common trick to sneak in malicious code that doesn't show up in the package itself.

Technical details

Network requests to paste sites or raw GitHub content may indicate payload downloading. Legitimate dependencies use npm, not pastebins.

raw.githubusercontent
src/systems/ares/service/src/apis/sso/templates/index.ts:192
MEDIUMMED-003

Suspicious. This package downloads code from paste sites or raw URLs instead of using normal package managers. This is a common trick to sneak in malicious code that doesn't show up in the package itself.

Technical details

Network requests to paste sites or raw GitHub content may indicate payload downloading. Legitimate dependencies use npm, not pastebins.

raw.githubusercontent
src/systems/ares/service/src/apis/sso/templates/index.ts:209
MEDIUMMED-003

Suspicious. This package downloads code from paste sites or raw URLs instead of using normal package managers. This is a common trick to sneak in malicious code that doesn't show up in the package itself.

Technical details

Network requests to paste sites or raw GitHub content may indicate payload downloading. Legitimate dependencies use npm, not pastebins.

raw.githubusercontent
src/systems/ares/service/src/apis/sso/templates/index.ts:213
MEDIUMMED-003

Suspicious. This package downloads code from paste sites or raw URLs instead of using normal package managers. This is a common trick to sneak in malicious code that doesn't show up in the package itself.

Technical details

Network requests to paste sites or raw GitHub content may indicate payload downloading. Legitimate dependencies use npm, not pastebins.

raw.githubusercontent
src/systems/ares/service/src/apis/sso/templates/index.ts:223
MEDIUMMED-003

Suspicious. This package downloads code from paste sites or raw URLs instead of using normal package managers. This is a common trick to sneak in malicious code that doesn't show up in the package itself.

Technical details

Network requests to paste sites or raw GitHub content may indicate payload downloading. Legitimate dependencies use npm, not pastebins.

raw.githubusercontent
src/systems/ares/service/src/apis/sso/templates/index.ts:239
MEDIUMMED-003

Suspicious. This package downloads code from paste sites or raw URLs instead of using normal package managers. This is a common trick to sneak in malicious code that doesn't show up in the package itself.

Technical details

Network requests to paste sites or raw GitHub content may indicate payload downloading. Legitimate dependencies use npm, not pastebins.

raw.githubusercontent
src/systems/ares/service/src/apis/sso/templates/index.ts:243
MEDIUMMED-003

Suspicious. This package downloads code from paste sites or raw URLs instead of using normal package managers. This is a common trick to sneak in malicious code that doesn't show up in the package itself.

Technical details

Network requests to paste sites or raw GitHub content may indicate payload downloading. Legitimate dependencies use npm, not pastebins.

raw.githubusercontent
src/systems/ares/service/src/apis/sso/templates/index.ts:255
MEDIUMMED-003

Suspicious. This package downloads code from paste sites or raw URLs instead of using normal package managers. This is a common trick to sneak in malicious code that doesn't show up in the package itself.

Technical details

Network requests to paste sites or raw GitHub content may indicate payload downloading. Legitimate dependencies use npm, not pastebins.

raw.githubusercontent
src/systems/ares/service/src/apis/sso/templates/index.ts:257
MEDIUMMED-003

Suspicious. This package downloads code from paste sites or raw URLs instead of using normal package managers. This is a common trick to sneak in malicious code that doesn't show up in the package itself.

Technical details

Network requests to paste sites or raw GitHub content may indicate payload downloading. Legitimate dependencies use npm, not pastebins.

raw.githubusercontent
src/systems/ares/service/src/apis/sso/templates/index.ts:259
MEDIUMMED-003

Suspicious. This package downloads code from paste sites or raw URLs instead of using normal package managers. This is a common trick to sneak in malicious code that doesn't show up in the package itself.

Technical details

Network requests to paste sites or raw GitHub content may indicate payload downloading. Legitimate dependencies use npm, not pastebins.

raw.githubusercontent
src/systems/ares/service/src/apis/sso/templates/index.ts:278
MEDIUMMED-003

Suspicious. This package downloads code from paste sites or raw URLs instead of using normal package managers. This is a common trick to sneak in malicious code that doesn't show up in the package itself.

Technical details

Network requests to paste sites or raw GitHub content may indicate payload downloading. Legitimate dependencies use npm, not pastebins.

raw.githubusercontent
src/systems/ares/service/src/apis/sso/templates/index.ts:305
MEDIUMMED-003

Suspicious. This package downloads code from paste sites or raw URLs instead of using normal package managers. This is a common trick to sneak in malicious code that doesn't show up in the package itself.

Technical details

Network requests to paste sites or raw GitHub content may indicate payload downloading. Legitimate dependencies use npm, not pastebins.

raw.githubusercontent
src/systems/ares/service/src/apis/sso/templates/index.ts:309
MEDIUMMED-003

Suspicious. This package downloads code from paste sites or raw URLs instead of using normal package managers. This is a common trick to sneak in malicious code that doesn't show up in the package itself.

Technical details

Network requests to paste sites or raw GitHub content may indicate payload downloading. Legitimate dependencies use npm, not pastebins.

raw.githubusercontent
src/systems/ares/service/src/apis/sso/templates/index.ts:313
MEDIUMMED-003

Suspicious. This package downloads code from paste sites or raw URLs instead of using normal package managers. This is a common trick to sneak in malicious code that doesn't show up in the package itself.

Technical details

Network requests to paste sites or raw GitHub content may indicate payload downloading. Legitimate dependencies use npm, not pastebins.

raw.githubusercontent
src/systems/ares/service/src/apis/sso/templates/index.ts:323
MEDIUMMED-003

Suspicious. This package downloads code from paste sites or raw URLs instead of using normal package managers. This is a common trick to sneak in malicious code that doesn't show up in the package itself.

Technical details

Network requests to paste sites or raw GitHub content may indicate payload downloading. Legitimate dependencies use npm, not pastebins.

raw.githubusercontent
src/systems/ares/service/src/apis/sso/templates/index.ts:336
MEDIUMMED-003

Suspicious. This package downloads code from paste sites or raw URLs instead of using normal package managers. This is a common trick to sneak in malicious code that doesn't show up in the package itself.

Technical details

Network requests to paste sites or raw GitHub content may indicate payload downloading. Legitimate dependencies use npm, not pastebins.

raw.githubusercontent
src/systems/ares/service/src/apis/sso/templates/index.ts:340
MEDIUMMED-003

Suspicious. This package downloads code from paste sites or raw URLs instead of using normal package managers. This is a common trick to sneak in malicious code that doesn't show up in the package itself.

Technical details

Network requests to paste sites or raw GitHub content may indicate payload downloading. Legitimate dependencies use npm, not pastebins.

raw.githubusercontent
src/systems/ares/service/src/apis/sso/templates/index.ts:346
MEDIUMMED-003

Suspicious. This package downloads code from paste sites or raw URLs instead of using normal package managers. This is a common trick to sneak in malicious code that doesn't show up in the package itself.

Technical details

Network requests to paste sites or raw GitHub content may indicate payload downloading. Legitimate dependencies use npm, not pastebins.

raw.githubusercontent
src/systems/ares/service/src/apis/sso/templates/index.ts:363
MEDIUMMED-003

Suspicious. This package downloads code from paste sites or raw URLs instead of using normal package managers. This is a common trick to sneak in malicious code that doesn't show up in the package itself.

Technical details

Network requests to paste sites or raw GitHub content may indicate payload downloading. Legitimate dependencies use npm, not pastebins.

raw.githubusercontent
src/systems/ares/service/src/apis/sso/templates/index.ts:367
MEDIUMMED-003

Suspicious. This package downloads code from paste sites or raw URLs instead of using normal package managers. This is a common trick to sneak in malicious code that doesn't show up in the package itself.

Technical details

Network requests to paste sites or raw GitHub content may indicate payload downloading. Legitimate dependencies use npm, not pastebins.

raw.githubusercontent
src/systems/ares/service/src/apis/sso/templates/index.ts:371
MEDIUMMED-003

Suspicious. This package downloads code from paste sites or raw URLs instead of using normal package managers. This is a common trick to sneak in malicious code that doesn't show up in the package itself.

Technical details

Network requests to paste sites or raw GitHub content may indicate payload downloading. Legitimate dependencies use npm, not pastebins.

raw.githubusercontent
src/systems/ares/service/src/apis/sso/templates/index.ts:386
MEDIUMMED-003

Suspicious. This package downloads code from paste sites or raw URLs instead of using normal package managers. This is a common trick to sneak in malicious code that doesn't show up in the package itself.

Technical details

Network requests to paste sites or raw GitHub content may indicate payload downloading. Legitimate dependencies use npm, not pastebins.

raw.githubusercontent
src/systems/ares/service/src/apis/sso/templates/index.ts:388
MEDIUMMED-003

Suspicious. This package downloads code from paste sites or raw URLs instead of using normal package managers. This is a common trick to sneak in malicious code that doesn't show up in the package itself.

Technical details

Network requests to paste sites or raw GitHub content may indicate payload downloading. Legitimate dependencies use npm, not pastebins.

raw.githubusercontent
src/systems/ares/service/src/apis/sso/templates/index.ts:392
MEDIUMMED-003

Suspicious. This package downloads code from paste sites or raw URLs instead of using normal package managers. This is a common trick to sneak in malicious code that doesn't show up in the package itself.

Technical details

Network requests to paste sites or raw GitHub content may indicate payload downloading. Legitimate dependencies use npm, not pastebins.

raw.githubusercontent
src/systems/ares/service/src/apis/sso/templates/index.ts:407
MEDIUMMED-003

Suspicious. This package downloads code from paste sites or raw URLs instead of using normal package managers. This is a common trick to sneak in malicious code that doesn't show up in the package itself.

Technical details

Network requests to paste sites or raw GitHub content may indicate payload downloading. Legitimate dependencies use npm, not pastebins.

raw.githubusercontent
src/systems/ares/service/src/apis/sso/templates/index.ts:413
MEDIUMMED-003

Suspicious. This package downloads code from paste sites or raw URLs instead of using normal package managers. This is a common trick to sneak in malicious code that doesn't show up in the package itself.

Technical details

Network requests to paste sites or raw GitHub content may indicate payload downloading. Legitimate dependencies use npm, not pastebins.

raw.githubusercontent
src/systems/ares/service/src/apis/sso/templates/index.ts:417
MEDIUMMED-003

Suspicious. This package downloads code from paste sites or raw URLs instead of using normal package managers. This is a common trick to sneak in malicious code that doesn't show up in the package itself.

Technical details

Network requests to paste sites or raw GitHub content may indicate payload downloading. Legitimate dependencies use npm, not pastebins.

raw.githubusercontent
src/systems/ares/service/src/apis/sso/templates/index.ts:436
MEDIUMMED-003

Suspicious. This package downloads code from paste sites or raw URLs instead of using normal package managers. This is a common trick to sneak in malicious code that doesn't show up in the package itself.

Technical details

Network requests to paste sites or raw GitHub content may indicate payload downloading. Legitimate dependencies use npm, not pastebins.

raw.githubusercontent
src/systems/ares/service/src/apis/sso/templates/index.ts:442
MEDIUMMED-003

Suspicious. This package downloads code from paste sites or raw URLs instead of using normal package managers. This is a common trick to sneak in malicious code that doesn't show up in the package itself.

Technical details

Network requests to paste sites or raw GitHub content may indicate payload downloading. Legitimate dependencies use npm, not pastebins.

raw.githubusercontent
src/systems/ares/service/src/apis/sso/templates/index.ts:451
MEDIUMMED-003

Suspicious. This package downloads code from paste sites or raw URLs instead of using normal package managers. This is a common trick to sneak in malicious code that doesn't show up in the package itself.

Technical details

Network requests to paste sites or raw GitHub content may indicate payload downloading. Legitimate dependencies use npm, not pastebins.

raw.githubusercontent
src/systems/ares/service/src/apis/sso/templates/index.ts:455
MEDIUMMED-003

Suspicious. This package downloads code from paste sites or raw URLs instead of using normal package managers. This is a common trick to sneak in malicious code that doesn't show up in the package itself.

Technical details

Network requests to paste sites or raw GitHub content may indicate payload downloading. Legitimate dependencies use npm, not pastebins.

raw.githubusercontent
src/systems/ares/service/src/apis/sso/templates/index.ts:468
MEDIUMMED-003

Suspicious. This package downloads code from paste sites or raw URLs instead of using normal package managers. This is a common trick to sneak in malicious code that doesn't show up in the package itself.

Technical details

Network requests to paste sites or raw GitHub content may indicate payload downloading. Legitimate dependencies use npm, not pastebins.

raw.githubusercontent
src/systems/ares/service/src/apis/sso/templates/index.ts:472
MEDIUMMED-003

Suspicious. This package downloads code from paste sites or raw URLs instead of using normal package managers. This is a common trick to sneak in malicious code that doesn't show up in the package itself.

Technical details

Network requests to paste sites or raw GitHub content may indicate payload downloading. Legitimate dependencies use npm, not pastebins.

raw.githubusercontent
src/systems/ares/service/src/apis/sso/templates/index.ts:485
MEDIUMMED-003

Suspicious. This package downloads code from paste sites or raw URLs instead of using normal package managers. This is a common trick to sneak in malicious code that doesn't show up in the package itself.

Technical details

Network requests to paste sites or raw GitHub content may indicate payload downloading. Legitimate dependencies use npm, not pastebins.

raw.githubusercontent
src/systems/ares/service/src/apis/sso/templates/index.ts:496
MEDIUMMED-003

Suspicious. This package downloads code from paste sites or raw URLs instead of using normal package managers. This is a common trick to sneak in malicious code that doesn't show up in the package itself.

Technical details

Network requests to paste sites or raw GitHub content may indicate payload downloading. Legitimate dependencies use npm, not pastebins.

raw.githubusercontent
src/systems/ares/service/src/apis/sso/templates/index.ts:502
MEDIUMMED-003

Suspicious. This package downloads code from paste sites or raw URLs instead of using normal package managers. This is a common trick to sneak in malicious code that doesn't show up in the package itself.

Technical details

Network requests to paste sites or raw GitHub content may indicate payload downloading. Legitimate dependencies use npm, not pastebins.

raw.githubusercontent
src/systems/ares/service/src/apis/sso/templates/index.ts:509
MEDIUMMED-003

Suspicious. This package downloads code from paste sites or raw URLs instead of using normal package managers. This is a common trick to sneak in malicious code that doesn't show up in the package itself.

Technical details

Network requests to paste sites or raw GitHub content may indicate payload downloading. Legitimate dependencies use npm, not pastebins.

raw.githubusercontent
src/systems/ares/service/src/apis/sso/templates/index.ts:515
MEDIUMMED-004

Suspicious. This package loads code from an unknown location decided at runtime. We can't tell what it will actually run because it depends on a variable. This makes it harder to verify the package is safe.

Technical details

Dynamic require/import with variable arguments loads code determined at runtime. This can be used to load payloads that static analysis can't detect.

import(`
scripts/generators/src/index.ts:127
MEDIUMMED-004

Suspicious. This package loads code from an unknown location decided at runtime. We can't tell what it will actually run because it depends on a variable. This makes it harder to verify the package is safe.

Technical details

Dynamic require/import with variable arguments loads code determined at runtime. This can be used to load payloads that static analysis can't detect.

import(`
scripts/generators/src/index.ts:128
MEDIUMMED-004

Suspicious. This package loads code from an unknown location decided at runtime. We can't tell what it will actually run because it depends on a variable. This makes it harder to verify the package is safe.

Technical details

Dynamic require/import with variable arguments loads code determined at runtime. This can be used to load payloads that static analysis can't detect.

import(`
scripts/generators/src/index.ts:129
MEDIUMMED-004

Suspicious. This package loads code from an unknown location decided at runtime. We can't tell what it will actually run because it depends on a variable. This makes it harder to verify the package is safe.

Technical details

Dynamic require/import with variable arguments loads code determined at runtime. This can be used to load payloads that static analysis can't detect.

import (\
scripts/generators/src/index.ts:383
MEDIUMMED-004

Suspicious. This package loads code from an unknown location decided at runtime. We can't tell what it will actually run because it depends on a variable. This makes it harder to verify the package is safe.

Technical details

Dynamic require/import with variable arguments loads code determined at runtime. This can be used to load payloads that static analysis can't detect.

import (\
scripts/generators/src/languages/go/endpoint.ts:155
MEDIUMMED-004

Suspicious. This package loads code from an unknown location decided at runtime. We can't tell what it will actually run because it depends on a variable. This makes it harder to verify the package is safe.

Technical details

Dynamic require/import with variable arguments loads code determined at runtime. This can be used to load payloads that static analysis can't detect.

import(b
src/systems/function-bay/packages/function-bay/src/index.ts:46
MEDIUMMED-004

Suspicious. This package loads code from an unknown location decided at runtime. We can't tell what it will actually run because it depends on a variable. This makes it harder to verify the package is safe.

Technical details

Dynamic require/import with variable arguments loads code determined at runtime. This can be used to load payloads that static analysis can't detect.

import(p
src/systems/function-bay/service/src/providers/aws-lambda/deploy.ts:176
MEDIUMMED-004

Suspicious. This package loads code from an unknown location decided at runtime. We can't tell what it will actually run because it depends on a variable. This makes it harder to verify the package is safe.

Technical details

Dynamic require/import with variable arguments loads code determined at runtime. This can be used to load payloads that static analysis can't detect.

require(c
src/systems/function-bay/service/src/providers/local/invoke.ts:49
MEDIUMMED-004

Suspicious. This package loads code from an unknown location decided at runtime. We can't tell what it will actually run because it depends on a variable. This makes it harder to verify the package is safe.

Technical details

Dynamic require/import with variable arguments loads code determined at runtime. This can be used to load payloads that static analysis can't detect.

import(p
src/systems/function-bay/service/src/providers/local/invoke.ts:52
MEDIUMMED-004

Suspicious. This package loads code from an unknown location decided at runtime. We can't tell what it will actually run because it depends on a variable. This makes it harder to verify the package is safe.

Technical details

Dynamic require/import with variable arguments loads code determined at runtime. This can be used to load payloads that static analysis can't detect.

import(
src/systems/subspace/modules/auth/src/queues/reconcile/tenantManagedBackings.ts:32

Finding Summary

1

Critical

82

High

114

Medium

0

Low

0

Info