by getpaseo
Coding agents from your phone, desktop and CLI
# Add to your Claude Code skills
git clone https://github.com/getpaseo/paseoLast scanned: 4/20/2026
{
"issues": [
{
"type": "npm-audit",
"message": "@cloudflare/vite-plugin: Vulnerability found",
"severity": "high"
},
{
"type": "npm-audit",
"message": "@expo/config: Vulnerability found",
"severity": "high"
},
{
"type": "npm-audit",
"message": "@expo/config-plugins: Vulnerability found",
"severity": "high"
},
{
"type": "npm-audit",
"message": "@expo/plist: Vulnerability found",
"severity": "high"
},
{
"type": "npm-audit",
"message": "@expo/prebuild-config: Vulnerability found",
"severity": "high"
},
{
"type": "npm-audit",
"message": "@hono/node-server: @hono/node-server: Middleware bypass via repeated slashes in serveStatic",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "@modelcontextprotocol/sdk: Anthropic's MCP TypeScript SDK has a ReDoS vulnerability",
"severity": "high"
},
{
"type": "npm-audit",
"message": "@tanstack/react-start: Vulnerability found",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "@tanstack/react-start-server: Vulnerability found",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "@tanstack/start-plugin-core: Vulnerability found",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "@tanstack/start-server-core: Vulnerability found",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "@tootallnate/once: @tootallnate/once vulnerable to Incorrect Control Flow Scoping",
"severity": "low"
},
{
"type": "npm-audit",
"message": "@typescript-eslint/eslint-plugin: Vulnerability found",
"severity": "high"
},
{
"type": "npm-audit",
"message": "@typescript-eslint/parser: Vulnerability found",
"severity": "high"
},
{
"type": "npm-audit",
"message": "@typescript-eslint/type-utils: Vulnerability found",
"severity": "high"
},
{
"type": "npm-audit",
"message": "@typescript-eslint/typescript-estree: Vulnerability found",
"severity": "high"
},
{
"type": "npm-audit",
"message": "@typescript-eslint/utils: Vulnerability found",
"severity": "high"
},
{
"type": "npm-audit",
"message": "@xmldom/xmldom: xmldom: XML injection via unsafe CDATA serialization allows attacker-controlled markup insertion",
"severity": "high"
},
{
"type": "npm-audit",
"message": "ajv: ajv has ReDoS when using `$data` option",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "axios: Axios has a NO_PROXY Hostname Normalization Bypass that Leads to SSRF",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "body-parser: body-parser is vulnerable to denial of service when url encoding is used",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "brace-expansion: brace-expansion: Zero-step sequence causes process hang and memory exhaustion",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "diff: jsdiff has a Denial of Service vulnerability in parsePatch and applyPatch",
"severity": "low"
},
{
"type": "npm-audit",
"message": "eas-cli: Vulnerability found",
"severity": "high"
},
{
"type": "npm-audit",
"message": "electron: Electron: Use-after-free in offscreen shared texture release() callback",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "expo-module-scripts: Vulnerability found",
"severity": "high"
},
{
"type": "npm-audit",
"message": "flatted: Prototype Pollution via parse() in NodeJS flatted",
"severity": "high"
},
{
"type": "npm-audit",
"message": "follow-redirects: follow-redirects leaks Custom Authentication Headers to Cross-Domain Redirect Targets",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "h3: h3 has a Path Traversal via Percent-Encoded Dot Segments in serveStatic Allows Arbitrary File Read",
"severity": "high"
},
{
"type": "npm-audit",
"message": "hono: Hono missing validation of cookie name on write path in setCookie()",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "http-proxy-agent: Vulnerability found",
"severity": "low"
},
{
"type": "npm-audit",
"message": "jest-environment-jsdom: Vulnerability found",
"severity": "low"
},
{
"type": "npm-audit",
"message": "jest-expo: Vulnerability found",
"severity": "high"
},
{
"type": "npm-audit",
"message": "jsdom: Vulnerability found",
"severity": "low"
},
{
"type": "npm-audit",
"message": "lodash: lodash vulnerable to Code Injection via `_.template` imports key names",
"severity": "high"
},
{
"type": "npm-audit",
"message": "markdown-it: Uncontrolled Resource Consumption in markdown-it",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "miniflare: Vulnerability found",
"severity": "high"
},
{
"type": "npm-audit",
"message": "minimatch: minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern",
"severity": "high"
},
{
"type": "npm-audit",
"message": "node-forge: node-forge has ASN.1 Unbounded Recursion",
"severity": "high"
},
{
"type": "npm-audit",
"message": "path-to-regexp: path-to-regexp vulnerable to Regular Expression Denial of Service via multiple route parameters",
"severity": "high"
},
{
"type": "npm-audit",
"message": "picomatch: Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching",
"severity": "high"
},
{
"type": "npm-audit",
"message": "react-native-markdown-display: Vulnerability found",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "smol-toml: smol-toml: Denial of Service via TOML documents containing thousands of consecutive commented lines",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "srvx: srvx is vulnerable to middleware bypass via absolute URI in request line ",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "tar: node-tar Vulnerable to Arbitrary File Creation/Overwrite via Hardlink Path Traversal",
"severity": "high"
},
{
"type": "npm-audit",
"message": "undici: Undici: Malicious WebSocket 64-bit length overflows parser and crashes the client",
"severity": "high"
},
{
"type": "npm-audit",
"message": "vite: Vite Vulnerable to Path Traversal in Optimized Deps `.map` Handling",
"severity": "high"
},
{
"type": "npm-audit",
"message": "wrangler: Vulnerability found",
"severity": "high"
},
{
"type": "npm-audit",
"message": "yaml: yaml is vulnerable to Stack Overflow via deeply nested YAML collections",
"severity": "medium"
}
],
"status": "WARNING",
"scannedAt": "2026-04-20T06:16:21.296Z",
"semgrepRan": false,
"npmAuditRan": true,
"pipAuditRan": true
}No comments yet. Be the first to share your thoughts!
Run agents in parallel on your own machines. Ship from your phone or your desk.
Paseo runs a local server called the daemon that manages your coding agents. Clients like the desktop app, mobile app, web app, and CLI connect to it.
You need at least one agent CLI installed and configured with your credentials:
Download it from paseo.sh/download or the GitHub releases page. Open the app and the daemon starts automatically. Nothing else to install.
To connect from your phone, scan the QR code shown in Settings.
Install the CLI and start Paseo:
npm install -g @getpaseo/cli
paseo
This shows a QR code in the terminal. Connect from any client. This path is useful for servers and remote machines.
For full setup and configuration, see:
Everything you can do in the app, you can do from the terminal.
paseo run --provider claude/opus-4.6 "implement user authentication"
paseo run --provider codex/gpt-5.4 --worktree feature-x "implement feature X"
paseo ls # list running agents
paseo attach abc123 # stream live output
paseo send abc123 "also add tests" # follow-up task
# run on a remote daemon
paseo --host workstation.local:6767 run "run the full test suite"
See the full CLI reference for more.
Skills teach your agent to use Paseo to orchestrate other agents.
npx skills add getpaseo/paseo
Then use them in any agent conversation:
/paseo-handoff — hand off work between agents. I use this to plan with Claude and then handoff to Codex to implement./paseo-loop — loop an agent against clear acceptance criteria (aka Ralph loops), optionally with a verifier./paseo-advisor — spin up a single agent as an advisor for a second opinion, without delegating the work itself./paseo-committee — form a committee of two contrasting agents to step back, do root cause analysis, and produce a plan.Quick monorepo package map:
packages/server: Paseo daemon (agent process orchestration, WebSocket API, MCP server)packages/app: Expo client (iOS, Android, web)packages/cli: paseo CLI for daemon and agent workflowspackages/desktop: Electron desktop apppackages/relay: Relay package for remote connectivitypackages/website: Marketing site and documentation (paseo.sh)Common commands:
# run all local dev services
npm run dev
# run individual surfaces
npm run dev:server
npm run dev:app
npm run dev:desktop
npm run dev:website
# build the daemon
npm run build:daemon
# repo-wide checks
npm run typecheck
Self-hosted relays use ws:// unless TLS is opted in. For a relay behind nginx on 443, start the daemon with:
PASEO_RELAY_ENDPOINT=127.0.0.1:8080 \
PASEO_RELAY_PUBLIC_ENDPOINT=relay.example.com:443 \
PASEO_RELAY_USE_TLS=true \
paseo daemon start
Equivalent config:
{
"daemon": {
"relay": {
"enabled": true,
"endpoint": "127.0.0.1:8080",
"publicEndpoint": "relay.example.com:443",
"useTls": true
}
}
}
Minimal nginx WebSocket proxy:
server {
listen 443 ssl;
server_name relay.example.com;
ssl_certificate /etc/letsencrypt/live/relay.example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/relay.example.com/privkey.pem;
location /ws {
proxy_pass http://127.0.0.1:8080;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
}
}
AGPL-3.0