npm analyzed 7.57.0

loki-mode

v7.57.0

npm

Loki Mode by Autonomi. Autonomous spec-to-product system: takes a PRD, GitHub issue, OpenAPI/JSON/YAML, or one-line brief to a deployed app via the RARV-C closure loop with 8 quality gates. Provider-agnostic (Claude Code, OpenAI Codex, Cline, Aider).

maintainer: asklokesh
license: BUSL-1.1
first seen: 2026-06-02
last seen: 2026-06-17
releases · 30d: 124
short id

Drift inferred · capture-to-capture

HIGH 2026-06-04 code analysis flagged committed secret ×2 in loki-mode

capabilities 0 tools

transport stdio · http counts 0 tools · 0 res · 0 prompts permission surface via code analysis

no tools enumerated yet for this server.

skills & danger signals npm-tarball

prompt-surface shipped agent-instruction files + hidden-content / dangerous-code findings — quoted from the analyzed source

analyzed v7.57.0 · analyzer v18 · 1h ago

skills & prompt files 4

skillpackage/SKILL.md
skillpackage/integrations/openclaw/SKILL.md
agent-rulespackage/references/agents.md
agent-rulespackage/skills/agents.md

danger signals4

suspicious bundled scriptsuspicious bundled scriptpackage/autonomy/lib/claude-flags.sh:528# curl|bash path delegates to `npx -y github:JuliusBrussee/caveman#<ref>`. We
suspicious bundled scriptsuspicious bundled scriptpackage/autonomy/run.sh:523eval "$(_LOKI_SETTINGS_FILE="$settings_file" python3 -c "
suspicious bundled scriptsuspicious bundled scriptpackage/autonomy/sandbox.sh:189log_error " Linux: curl -fsSL https://get.docker.com | sh"
suspicious bundled scriptsuspicious bundled scriptpackage/autonomy/serve.sh:125echo " curl -fsSL https://deno.land/install.sh | sh"

code evidence v7.57.0 · npm-tarball

evidence-backed findings quoted directly from the published source artifact — not inferred

filesystem 34

fs package/api/server.js :27 const fs = require('fs');
fs package/api/test.js :31 const fs = require('fs');
fs package/autonomy/api-server.js :30 const fs = require('fs');
fs package/bin/postinstall.js :7 const fs = require('fs');
fs package/events/bus.ts :8 import * as fs from "fs";
fs package/learning/signals.ts :10 import * as fs from "fs";
fs package/src/audit/compliance-scheduler.js :44 var fs = require('fs');
fs package/src/audit/compliance.js :3 var fs = require('fs');
fs package/src/audit/crosslink.js :37 var fs = require('fs');
fs package/src/audit/log.js :3 const fs = require('fs');
fs package/src/audit/residency.js :3 var fs = require('fs');
fs package/src/audit/subscriber.js :4 var fs = require('fs');
fs package/src/integrations/github/reporter.js :14 var fs = require('fs');
fs package/src/integrations/linear/config.js :3 const fs = require('fs');
fs package/src/integrations/sync-subscriber.js :4 var fs = require('fs');
fs package/src/observability/otel-bridge.js :19 const fs = require('fs');
fs package/src/plugins/index.js :67 const fs = require('fs');
fs package/src/plugins/loader.js :3 const { readFileSync, readdirSync, existsSync, statSync, watch } = require('fs');
fs package/src/plugins/validator.js :3 const { readFileSync } = require('fs');
fs package/src/policies/approval.js :19 const fs = require('fs');
fs package/src/policies/cost.js :28 const fs = require('fs');
fs package/src/policies/engine.js :19 const fs = require('fs');
fs package/src/protocols/auth/oauth.js :4 const fs = require('fs');
fs package/src/protocols/mcp-client-manager.js :3 var fs = require('fs');
fs package/src/protocols/mcp-server.js :22 const fs = require('fs');
fs package/src/protocols/resources/continuity.js :3 const fs = require('fs');
fs package/src/protocols/resources/memory.js :3 const fs = require('fs');
fs package/src/protocols/tools/agent-metrics.js :3 const fs = require('fs');
fs package/src/protocols/tools/checkpoint-restore.js :3 const fs = require('fs');
fs package/src/protocols/tools/project-status.js :3 const fs = require('fs');
fs package/src/protocols/tools/quality-report.js :3 const fs = require('fs');
fs package/src/protocols/tools/start-project.js :3 const fs = require('fs');
fs package/state/manager.ts :12 import * as fs from "fs";
fs package/state/test_manager.ts :8 import * as fs from "fs";

shell / exec 11

shell package/api/server.js :29 const { spawn } = require('child_process');
shell package/api/test.js :29 const { spawn, execSync } = require('child_process');
shell package/autonomy/api-server.js :32 const { spawn, execSync } = require('child_process');
shell package/bin/loki-mode.js :13 const { spawn } = require('child_process');
shell package/bin/postinstall.js :90 const { execSync } = require('child_process');
shell package/loki-ts/dist/loki.js :335 Start a session with: loki start <prd>`}}let X=oQ(z);return{exitCode:0,stdout:Q?nQ(X,Z):aQ(X,Z)}}async function sQ($){let{emitDeprecatedAlias:Q}=await Promise.resolve().then(() => (e$(),Z0));Q("stats"
shell package/src/audit/crosslink.js :41 var { execFileSync } = require('child_process');
shell package/src/plugins/gate-plugin.js :3 const { execFile } = require('child_process');
shell package/src/plugins/mcp-plugin.js :3 const { execFile } = require('child_process');
shell package/src/policies/cost.js :30 const { execFileSync } = require('child_process');
shell package/src/protocols/mcp-client.js :3 const { spawn } = require('child_process');

network 21

net package/api/client.ts :67 const response = await fetch(`${this.baseUrl}${path}`, {
net package/api/server.js :26 const http = require('http');
net package/api/test.js :28 const http = require('http');
net package/autonomy/api-server.js :29 const http = require('http');
net package/bin/postinstall.js :211 const https = require('https');
net package/loki-ts/dist/loki.js :335 Start a session with: loki start <prd>`}}let X=oQ(z);return{exitCode:0,stdout:Q?nQ(X,Z):aQ(X,Z)}}async function sQ($){let{emitDeprecatedAlias:Q}=await Promise.resolve().then(() => (e$(),Z0));Q("stats"
net package/src/integrations/github/reporter.js :13 var https = require('https');
net package/src/integrations/jira/api-client.js :3 var https = require('https');
net package/src/integrations/linear/client.js :3 const https = require('https');
net package/src/integrations/teams/adapter.js :5 var https = require('https');
net package/src/observability/otel.js :536 const httpModule = isHttps ? require('https') : require('http');
net package/src/observability/siem-export.js :277 const httpModule = isHttps ? require('https') : require('http');
net package/src/plugins/integration-plugin.js :3 const { request } = require('https');
net package/src/policies/approval.js :21 const http = require('http');
net package/src/protocols/a2a/client.js :3 var https = require('https');
net package/src/protocols/mcp-client.js :4 const http = require('http');
net package/src/protocols/transport/sse.js :3 const http = require('http');
net package/web-app/dist/assets/HomePage-BQk-MUjn.js :27 `)}},[]),Q=async()=>{if(!(!i.trim()||A)){_(!0),S(null),$(!0);try{const g=await j.planSession(i,y);S(g)}catch{S({complexity:"unknown",cost_estimate:"N/A",iterations:0,phases:[],output_text:"Failed to r
net package/web-app/dist/assets/MagicPage-Bzp2Nt1z.js :31 */const he=[["path",{d:"M3 5h.01",key:"18ugdj"}],["path",{d:"M3 12h.01",key:"nlz23k"}],["path",{d:"M3 19h.01",key:"noohij"}],["path",{d:"M8 5h13",key:"1pao27"}],["path",{d:"M8 12h13",key:"1za7za"}],["
net package/web-app/dist/assets/ProjectPage-BfFcZp-E.js :268 `)||"Done.",filesChanged:R.files_changed,returncode:R.returncode}:{})),((le=R.files_changed)==null?void 0:le.length)>0&&s&&s(R.files_changed)},[e,s]),ie=d.useCallback(async z=>{var J;const V=new Abort
net package/web-app/dist/assets/index-B-0iHBPO.js :2 var P0=Object.defineProperty;var ep=(i,c,r)=>c in i?P0(i,c,{enumerable:!0,configurable:!0,writable:!0,value:r}):i[c]=r;var Ln=(i,c,r)=>ep(i,typeof c!="symbol"?c+"":c,r);(function(){const c=document.cr

secrets 5

secrets package/loki-ts/dist/loki.js :509 `;var H6=L(()=>{V6();c()});function h8(){return process.env.LOKI_TIER||"oss"}function B6($){let Q=h8();if(Q==="oss")return{allowed:!0,notes:[]};if(!process.env.LOKI_LICENSE_KEY)return{allowed:!1,notes
secrets package/src/integrations/slack/adapter.js :10 this._token = (options && options.token) || process.env.LOKI_SLACK_BOT_TOKEN || '';
secrets package/src/integrations/sync-subscriber.js :77 if (process.env.LOKI_JIRA_URL && process.env.LOKI_JIRA_TOKEN) {
secrets package/src/integrations/teams/adapter.js :16 this._webhookSecret = (options && options.webhookSecret) || process.env.LOKI_TEAMS_WEBHOOK_SECRET || '';
secrets package/src/protocols/auth/oauth.js :174 if (process.env.MCP_AUTH_TOKEN) {

declared dependencies 8

@types/node@^25.2.0
jest@^29.7.0
jsdom@^24.0.0
typescript@^5.9.3
@opentelemetry/api@^1.9.0
@opentelemetry/sdk-trace-node@^1.30.0
@opentelemetry/sdk-trace-base@^1.30.0
@opentelemetry/exporter-trace-otlp-http@^0.57.0