registry  /  @golproductions/check  /  3.2.1

@golproductions/check@3.2.1

⚠ Under review

The universal anti-hallucination engine for AI coding agents. Catches what is not real before it reaches your project.

Static Scan Results

scanned 4d ago · by rust-scanner

Static analysis flagged 15 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 2 file(s), 32.7 KB of source, external domains: github.com, golproductions.com, pub-e55366a7f5994be9be04f0e205179f4a.r2.dev, triage.golproductions.com, www.golproductions.com

Source & flagged code

7 flagged · loading source
src/index.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @golproductions/check@3.1.5 matchedIdentity = npm:QGdvbHByb2R1Y3Rpb25zL2NoZWNr:3.1.5 similarity = 0.500 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

src/index.jsView on unpkg
619try { L620: const { execSync } = await import("node:child_process"); L621: const url = "https://github.com/golproductions/check";
High
Child Process

Package source references child process execution.

src/index.jsView on unpkg · L619
9const BINARY_VERSION = "3.0.0"; L10: const API = "https://triage.golproductions.com/preflight"; L11: const CDN = "https://pub-[redacted].r2.dev/releases"; L12: const CLIENT_ID = process.env.GOL_CLIENT_ID || ""; L13: ... L18: try { L19: const k = readFileSync(join(homedir(), ".check", "key"), "utf8").trim(); L20: if (k) return k; ... L22: try { L23: const cfg = JSON.parse(readFileSync(join(homedir(), ".claude", "settings.json"), "utf8")); L24: return cfg.env?.GOL_CLIENT_ID || ""; ... L32: headers: { "Content-Type": "application/json", "X-GOL-CLIENT-ID": key, "User-Agent": "c/" + VERSION },
High
Host Fingerprint Exfiltration

Source collects local host identity data and sends it to an external endpoint.

src/index.jsView on unpkg · L9
621const url = "https://github.com/golproductions/check"; L622: if (platform() === "win32") execSync(`start "" "${url}"`, { stdio: "ignore", shell: true }); L623: else if (platform() === "darwin") execSync(`open "${url}"`, { stdio: "ignore" }); ... L635: L636: npx @golproductions/check --install <key> Install Check with your Client ID L637: npx @golproductions/check --uninstall Remove Check from all tools
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

src/index.jsView on unpkg · L621
src/mcp.jsView file
4import { z } from "zod"; L5: import { execFile } from "node:child_process"; L6: import { promisify } from "node:util"; ... L9: const VERSION = "3.1.8"; L10: const API = "https://triage.golproductions.com/preflight"; L11: const CLIENT_ID = process.env.GOL_CLIENT_ID; L12: const IS_WIN = process.platform === "win32";
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

src/mcp.jsView on unpkg · L4
4import { z } from "zod"; L5: import { execFile } from "node:child_process"; L6: import { promisify } from "node:util"; ... L9: const VERSION = "3.1.8"; L10: const API = "https://triage.golproductions.com/preflight"; L11: const CLIENT_ID = process.env.GOL_CLIENT_ID; ... L14: if (!CLIENT_ID) { L15: process.stderr.write("check: GOL_CLIENT_ID environment variable is required.\nGet your key at https://www.golproductions.com/check.html\n"); L16: process.exit(1);
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

src/mcp.jsView on unpkg · L4
4import { z } from "zod"; L5: import { execFile } from "node:child_process"; L6: import { promisify } from "node:util"; ... L9: const VERSION = "3.1.8"; L10: const API = "https://triage.golproductions.com/preflight"; L11: const CLIENT_ID = process.env.GOL_CLIENT_ID; L12: const IS_WIN = process.platform === "win32"; L13: L14: if (!CLIENT_ID) { L15: process.stderr.write("check: GOL_CLIENT_ID environment variable is required.\nGet your key at https://www.golproductions.com/check.html\n"); L16: process.exit(1); ... L24: });
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

src/mcp.jsView on unpkg · L4

Findings

1 Critical7 High3 Medium4 Low
CriticalPrevious Version Dangerous Deltasrc/index.js
HighChild Processsrc/index.js
HighShell
HighSame File Env Network Executionsrc/mcp.js
HighHost Fingerprint Exfiltrationsrc/index.js
HighCommand Output Exfiltrationsrc/mcp.js
HighSandbox Evasion Gated Capabilitysrc/mcp.js
HighRuntime Package Installsrc/index.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License