registry  /  @cr8rcho/alkahest  /  0.1.41

@cr8rcho/alkahest@0.1.41

Screen-graph CLI that reverse-engineers a product from code (React/Next static analysis → product map)

Static Scan Results

scanned 15h ago · by rust-scanner

Static analysis flagged 11 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 56 file(s), 359 KB of source, external domains: 127.0.0.1, api.github.com, ytcmzkrvtomtcrcyqqcb.supabase.co

Source & flagged code

2 flagged · loading source
dist/core/serve.jsView file
3import { extname, resolve } from "node:path"; L4: import { spawn } from "node:child_process"; L5: import { platform } from "node:os";
High
Child Process

Package source references child process execution.

dist/core/serve.jsView on unpkg · L3
dist/commands/update.jsView file
23console.log("[alkahest] update by reinstalling the latest from npm:"); L24: console.log(` npm install -g ${pkgName}@latest`); L25: return; L26: } L27: const run = (cmd, args) => execFileSync(cmd, args, { cwd: pkgRoot, stdio: "inherit" }); L28: try {
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/commands/update.jsView on unpkg · L23

Findings

3 High3 Medium5 Low
HighChild Processdist/core/serve.js
HighShell
HighRuntime Package Installdist/commands/update.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings