registry  /  @frostime/pi-acp  /  0.2.1

@frostime/pi-acp@0.2.1

ACP adapter for pi coding agent

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 10 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemShell
Supply chain
HighEntropyStrings
Manifest
CopyleftLicense
scanned 1 file(s), 114 KB of source

Source & flagged code

2 flagged · loading source
dist/index.jsView file
54// src/pi-rpc/process.ts L55: import { spawn } from "child_process"; L56: import * as readline from "readline";
High
Child Process

Package source references child process execution.

dist/index.jsView on unpkg · L54
3178try { L3179: const piVersion = spawnSync("pi", ["--version"], { encoding: "utf-8" }); L3180: const installed = (String(piVersion.stdout ?? "").trim() || String(piVersion.stderr ?? "").trim()).replace( ... L3191: if (compareSemver(latest, installed) <= 0) return null; L3192: return `New version available: v${latest} (installed v${installed}). Run: \`npm i -g @earendil-works/pi-coding-agent\``; L3193: } catch {
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/index.jsView on unpkg · L3178

Findings

3 High2 Medium5 Low
HighChild Processdist/index.js
HighShell
HighRuntime Package Installdist/index.js
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowCopyleft License