registry  /  @entelligentsia/forgecli  /  1.1.4

@entelligentsia/forgecli@1.1.4

Forge SDLC ported onto @earendil-works/pi-coding-agent — production launcher with three bin aliases (forge/forgecli/4ge). Bundles a curated fork of pi-coding-agent vendored under earendil-works names.

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 11 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 319 file(s), 4.43 MB of source, external domains: 127.0.0.1, api.github.com, cdn.jsdelivr.net, cdn.tailwindcss.com, cli.github.com, code.claude.com, faux.local, fonts.googleapis.com, fonts.gstatic.com, github.com, json-schema.org, raw.githubusercontent.com, registry.npmjs.org, spec.openapis.org, stackoverflow.com, tools.ietf.org, www.safaribooksonline.com, www.w3.org

Source & flagged code

3 flagged · loading source
dist/mcp/server.cjsView file
7var __hasOwnProp = Object.prototype.hasOwnProperty; L8: var __commonJS = (cb, mod) => function __require() { L9: return mod || (0, cb[__getOwnPropNames(cb)[0]])((mod = { exports: {} }).exports, mod), mod.exports;
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/mcp/server.cjsView on unpkg · L7
2941sourceCode = this.opts.code.process(sourceCode, sch); L2942: const makeValidate = new Function(`${names_1.default.self}`, `${names_1.default.scope}`, sourceCode); L2943: const validate = makeValidate(this, this.scope.get());
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/mcp/server.cjsView on unpkg · L2941
dist/extensions/forgecli/review-server.jsView file
1import { spawn } from "node:child_process"; L2: import * as fs from "node:fs/promises"; L3: import * as http from "node:http"; L4: import * as path from "node:path"; L5: import { fileURLToPath } from "node:url"; L6: const __dirname = path.dirname(fileURLToPath(import.meta.url)); L7: /** ... L21: res.writeHead(200, { "Content-Type": "text/html" }); L22: res.end(html); L23: return; ... L46: try { L47: const feedback = JSON.parse(body);
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/extensions/forgecli/review-server.jsView on unpkg · L1

Findings

1 High4 Medium6 Low
HighSandbox Evasion Gated Capabilitydist/extensions/forgecli/review-server.js
MediumDynamic Requiredist/mcp/server.cjs
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowEvaldist/mcp/server.cjs
LowFilesystem
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings