registry  /  @baryonlabs/cli  /  0.4.4

@baryonlabs/cli@0.4.4

⚠ Under review

Baryon CLI — AI 코딩·학습 에이전트. baryon.ai API에 기본 연결된 pi 코딩 에이전트 래퍼. 한 줄 설치, 상용·로컬 모델 전환.

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 14 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 10 file(s), 77.4 KB of source, external domains: api.baryon.ai, cli.baryon.ai, github.com, registry.npmjs.org, vibecamp.us

Source & flagged code

5 flagged · loading source
package.jsonView file
scripts.postinstall = node ./bin/baryon.js _welcome || true
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node ./bin/baryon.js _welcome || true
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
bin/baryon.jsView file
21import { checkLatest, whoami } from "../src/api.js"; L22: import { spawnSync } from "node:child_process"; L23: import { createRequire } from "node:module";
High
Child Process

Package source references child process execution.

bin/baryon.jsView on unpkg · L21
src/commands.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @baryonlabs/cli@0.4.1 matchedIdentity = npm:QGJhcnlvbmxhYnMvY2xp:0.4.1 similarity = 0.444 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

src/commands.jsView on unpkg
265return new Promise((resolve) => { L266: const child = spawn("baryon-edge", args, { L267: stdio: "inherit", ... L271: log(` ${sym.warn} ${t("edge.notInstalled")}`); L272: log(` ${c.lime("npm i -g github:baryonlabs/baryon-edge")}`); L273: resolve(1);
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

src/commands.jsView on unpkg · L265

Findings

1 Critical4 High4 Medium5 Low
CriticalPrevious Version Dangerous Deltasrc/commands.js
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processbin/baryon.js
HighShell
HighRuntime Package Installsrc/commands.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License