WelsonJS - Build a Windows app on the Windows built-in JavaScript engine
Drift inferred · capture-to-capture
- HIGH code analysis flagged hidden prompt content, dynamic code execution ×8 in gnh1201/welsonjs
transport http counts 0 tools · 0 res
· 0 prompts
permission surface via code analysis
no tools enumerated yet for this server.
prompt-surface
shipped agent-instruction files + hidden-content / dangerous-code findings —
quoted from the analyzed source
analyzed commit bad1b2c · analyzer v18 · 8h ago
skills & prompt files 2
- ⚠ hidden: readme: hidden-unicodegnh1201-welsonjs-bad1b2c/README.md:163
* :eyes: [Hacker News](https://news.ycombinator.com/item?id=41316782&utm_source=welsonjs), [Node Weekly (#‹U+200B›582 - June 17, 2025)](https://nodeweekly.com/issues/582?utm_source=welsonjs), [WebTool
- agent-rulesgnh1201-welsonjs-bad1b2c/AGENTS.md
danger signals12
- dynamic code executioneval()gnh1201-welsonjs-bad1b2c/app.js:351
return eval(require._load(FN)); - dynamic code executioneval()gnh1201-welsonjs-bad1b2c/app/assets/js/json2.js:515
j = eval("(" + text + ")"); - dynamic code executionnew Function()gnh1201-welsonjs-bad1b2c/app/assets/js/linq-4.0.2.wsh.js:55
f = new Function(args, "return " + expression); - dynamic code executioneval()gnh1201-welsonjs-bad1b2c/app/assets/js/peg-0.10.0.js:143
case "parser": return eval(ast.code); - dynamic code executioneval()gnh1201-welsonjs-bad1b2c/lib/autoit.js:46
eval("this._interface." + functionName + "(\"" + args.map(addslashes).join("\", \"") + "\")"); - dynamic code executioneval()gnh1201-welsonjs-bad1b2c/lib/file.js:99
eval(readFile(path)); - dynamic code executioneval()gnh1201-welsonjs-bad1b2c/lib/jsunit.js:1022
testObj = eval(source); - dynamic code executioneval()gnh1201-welsonjs-bad1b2c/mcploader.js:103
return String(eval(script)); - credential in logscredential in loggnh1201-welsonjs-bad1b2c/lib/anthropic.js:18
console.log("Anthropic (Claude) API KEY:", apikey); - credential in logscredential in loggnh1201-welsonjs-bad1b2c/lib/chatgpt.js:18
console.log("OpenAI (ChatGPT) API KEY:", apikey); - credential in logscredential in loggnh1201-welsonjs-bad1b2c/lib/grok.js:18
console.log("Grok (x.ai) API KEY:", apikey); - credential in logscredential in loggnh1201-welsonjs-bad1b2c/lib/groq.js:18
console.log("Groq (GroqCloud) API KEY:", apikey);
evidence-backed
findings quoted directly from the published source artifact — not inferred
shell / exec 3
- shell gnh1201-welsonjs-bad1b2c/app/assets/js/core-js-3.38.0.minified.js :10
var n=e(46),o=e(20),i=e(353);t.exports=function(t,r){var e;return n(t),o(r)&&r.constructor===t?r:((0,(e=i.f(t)).resolve)(r),e.promise)}},function(t,r,e){var n=e(3),o=e(8),i=e(30),a=e(353),u=e(350),c=e - shell gnh1201-welsonjs-bad1b2c/app/assets/js/core-js-3.49.0.wsh.js :979
return !!exec(); - shell gnh1201-welsonjs-bad1b2c/lib/registry.js :144
function execFile(FN) {
network 4
- net gnh1201-welsonjs-bad1b2c/app/assets/js/core-js-3.38.0.minified.js :14
;break;case"EvalError":case"RangeError":case"ReferenceError":case"SuppressedError":case"SyntaxError":case"TypeError":case"URIError":a=new(c(i));break;case"CompileError":case"LinkError":case"RuntimeErr - net gnh1201-welsonjs-bad1b2c/app/assets/js/core-js-3.49.0.wsh.js :29140
fetch: function fetch(input /* , init */) { - net gnh1201-welsonjs-bad1b2c/lib/system.js :65
return WMI.execQuery("SELECT Caption FROM Win32_OperatingSystem").fetch().get("Caption").trim(); - net gnh1201-welsonjs-bad1b2c/testloader.js :76
var result = WMI.execQuery(queryString).fetch().get("Caption").trim();
declared dependencies 11
- core-js@^3.21.1
- excanvas@^2.0.0
- html5shiv@^3.7.3
- jquery@^3.6.0
- jquery-form@^4.3.0
- jquery-toast-plugin@^1.3.2
- jquery-ui@^1.13.2
- js-yaml@^4.1.1
- jsrender@^1.0.11
- modernizr@^3.12.0
- squel@^5.13.0