registry  /  @evolith/smart-cli  /  1.1.7

@evolith/smart-cli@1.1.7

This package is deprecated. It is still in development and will be republished under a new versioning scheme.

Evolith Smart CLI - Governance, standards validation, and AI agent integration for satellite repositories

Static Scan Results

scanned 3h ago · by rust-scanner

Static analysis flagged 13 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 73 file(s), 457 KB of source, external domains: adoptium.net, aws.amazon.com, docs.docker.com, dotnet.microsoft.com, github.com, go.dev, helm.sh, kubernetes.io, nodejs.org, openbao.org, python.org, rustup.rs, www.terraform.io

Source & flagged code

5 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.cjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.cjs
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
dist/contributions/index.jsView file
3exports.ContributionValidator = void 0; L4: var contribution_validator_1 = require("./contribution-validator"); L5: Object.defineProperty(exports, "ContributionValidator", { enumerable: true, get: function () { return contribution_validator_1.ContributionValidator; } });
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/contributions/index.jsView on unpkg · L3
dist/commands/completion/completion.command.jsView file
77detectShell() { L78: const shell = process.env.SHELL || ''; L79: if (shell.includes('zsh')) ... L107: async installBash(completionDir) { L108: const bashrc = path.join(os.homedir(), '.bashrc'); L109: const completionScript = path.join(completionDir, 'completion.bash');
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/commands/completion/completion.command.jsView on unpkg · L77
shell/completion.bashView file
path = shell/completion.bash kind = build_helper sizeBytes = 2884 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

shell/completion.bashView on unpkg

Findings

1 High7 Medium5 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requiredist/contributions/index.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/commands/completion/completion.command.js
MediumShips Build Helpershell/completion.bash
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings