registry  /  @cluesmith/codev  /  3.2.3

@cluesmith/codev@3.2.3

Codev CLI - AI-assisted software development framework

Static Scan Results

scanned 3h ago · by rust-scanner

Static analysis flagged 19 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedObfuscatedProtestwareTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 148 file(s), 2.53 MB of source, external domains: 127.0.0.1, aistudio.google.com, antigravity.google, bellard.org, cloud.codevos.ai, github.com, react.dev, www.w3.org

Source & flagged code

9 flagged · loading source
package.jsonView file
scripts.postinstall = node ./scripts/postinstall.mjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node ./scripts/postinstall.mjs
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
dist/terminal/session-manager.jsView file
13*/ L14: import { spawn as cpSpawn } from 'node:child_process'; L15: import fs from 'node:fs';
High
Child Process

Package source references child process execution.

dist/terminal/session-manager.jsView on unpkg · L13
dist/lib/forge.jsView file
7* L8: * Concept commands are executed via shell (`sh -c`) to support pipes, L9: * redirects, and variable expansion in user-configured commands.
High
Shell

Package source references shell execution.

dist/lib/forge.jsView on unpkg · L7
dist/agent-farm/servers/tower-cron.jsView file
240// eslint-disable-next-line no-new-func L241: const fn = new Function('output', 'return ' + condition); L242: return !!fn(output);
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/agent-farm/servers/tower-cron.jsView on unpkg · L240
dist/terminal/shellper-main.jsView file
22// createRequire enables importing native/CJS modules (like node-pty) from ESM. L23: // The package uses "type": "module", so bare `require()` is not available. L24: const require = createRequire(import.meta.url);
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/terminal/shellper-main.jsView on unpkg · L22
dist/agent-farm/commands/tower.jsView file
202// Start tower server fully detached - stdio: 'ignore' ensures parent can exit L203: const serverProcess = spawn(command, args, { L204: cwd: process.cwd(), L205: env: process.env, L206: detached: true, ... L215: logToFile(`Spawned tower server with PID ${serverProcess.pid}`); L216: const dashboardUrl = `http://localhost:${port}`; L217: if (wait) {
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/agent-farm/commands/tower.jsView on unpkg · L202
scripts/forge/gitlab/pr-list.shView file
path = scripts/forge/gitlab/pr-list.sh kind = build_helper sizeBytes = 771 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

scripts/forge/gitlab/pr-list.shView on unpkg
dist/agent-farm/commands/workspace-recover.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @cluesmith/codev@3.2.2 matchedIdentity = npm:QGNsdWVzbWl0aC9jb2Rldg:3.2.2 similarity = 0.950 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/agent-farm/commands/workspace-recover.jsView on unpkg

Findings

5 High7 Medium7 Low
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processdist/terminal/session-manager.js
HighShelldist/lib/forge.js
HighSame File Env Network Executiondist/agent-farm/commands/tower.js
HighPrevious Version Dangerous Deltadist/agent-farm/commands/workspace-recover.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requiredist/terminal/shellper-main.js
MediumNetwork
MediumEnvironment Vars
MediumProtestware
MediumShips Build Helperscripts/forge/gitlab/pr-list.sh
MediumStructural Risk Force Deep Review
LowScripts Present
LowEvaldist/agent-farm/servers/tower-cron.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings