registry  /  @golproductions/check  /  3.2.26

@golproductions/check@3.2.26

⚠ Under review

Less hallucinations. A command firewall for AI agents: validates every shell command before execution, so fabricated commands are denied before they run.

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 12 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
EnvironmentVarsNetwork
Supply chain
HighEntropyStringsMinifiedTrivialUrlStrings
Manifest
NoLicense
scanned 2 file(s), 27.3 KB of source, external domains: github.com, golproductions.com, pub-e55366a7f5994be9be04f0e205179f4a.r2.dev, triage.golproductions.com, www.golproductions.com

Source & flagged code

4 flagged · loading source
dist/index.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @golproductions/check@3.2.25 matchedIdentity = npm:QGdvbHByb2R1Y3Rpb25zL2NoZWNr:3.2.25 similarity = 0.500 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/index.jsView on unpkg
1#!/usr/bin/env node L2: import{readFileSync as e,writeFileSync as o,mkdirSync as t,existsSync as s,createWriteStream as n,chmodSync as r,unlinkSync as c,rmSync as i}from"node:fs";import{spawnSync as a,spa...
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/index.jsView on unpkg · L1
1#!/usr/bin/env node L2: import{readFileSync as e,writeFileSync as o,mkdirSync as t,existsSync as s,createWriteStream as n,chmodSync as r,unlinkSync as c,rmSync as i}from"node:fs";import{spawnSync as a,spa...
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/index.jsView on unpkg · L1
dist/mcp.jsView file
1#!/usr/bin/env node L2: import{McpServer as t}from"@[redacted].js";import{StdioServerTransport as e}from"@[redacted].js";import{z as r}from"zod";import{...
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/mcp.jsView on unpkg · L1

Findings

1 Critical3 High3 Medium5 Low
CriticalPrevious Version Dangerous Deltadist/index.js
HighSame File Env Network Executiondist/index.js
HighCommand Output Exfiltrationdist/index.js
HighSandbox Evasion Gated Capabilitydist/mcp.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings
LowNo License