registry  /  @gstack-vibehard/installer  /  3.100.1

@gstack-vibehard/installer@3.100.1

⚠ Under review

gstack_vibehard — Cross-harness installer & fullstack template kit with deep agent integration (Codex, Claude Code, OpenCode)

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 14 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 256 file(s), 1.24 MB of source, external domains: 127.0.0.1, api.anthropic.com, astral.sh, bun.sh, cdn.jsdelivr.net, docs.astral.sh, docs.devin.ai, github.com, go.dev, install.python-poetry.org, mesh.dev-a.team, mesh.dev-b.team, opencode.ai, registry.npmjs.org, rustup.rs, sh.rustup.rs, static.rust-lang.org, www.npmjs.com, www.python.org

Source & flagged code

7 flagged · loading source
agents/skills/writing-skills/render-graphs.jsView file
17const path = require('path'); L18: const { execSync } = require('child_process'); L19:
High
Child Process

Package source references child process execution.

agents/skills/writing-skills/render-graphs.jsView on unpkg · L17
scripts/test-e2e-lifecycle.mjsView file
27L28: // npm via cmd.exe no Windows (.cmd shim dá EINVAL no execFileSync direto). L29: function npm(args, opts = {}) {
High
Shell

Package source references shell execution.

scripts/test-e2e-lifecycle.mjsView on unpkg · L27
agents/skills/brainstorming/scripts/server.cjsView file
1const crypto = require('crypto'); L2: const http = require('http'); L3: const fs = require('fs'); ... L11: function computeAcceptKey(clientKey) { L12: return crypto.createHash('sha1').update(clientKey + WS_MAGIC).digest('base64'); L13: } ... L75: L76: const PORT = process.env.BRAINSTORM_PORT || (49152 + Math.floor(Math.random() * 16383)); L77: const HOST = process.env.BRAINSTORM_HOST || '127.0.0.1'; ... L100: L101: const frameTemplate = fs.readFileSync(path.join(__dirname, 'frame-template.html'), 'utf-8'); L102: const helperScript = fs.readFileSync(path.join(__dirname, 'helper.js'), 'utf-8');
Low
Weak Crypto

Package source references weak cryptographic algorithms.

agents/skills/brainstorming/scripts/server.cjsView on unpkg · L1
scripts/test-templates.mjsView file
47// pnpm (via corepack), não npm, que não linka os workspaces. L48: const { execFileSync } = await import("node:child_process") L49: const isWin = process.platform === "win32" ... L51: : execFileSync("pnpm", a, { cwd: appDir, stdio: "inherit", timeout: 600000 }) L52: try { pnpm(["install", "--no-frozen-lockfile"]); pnpm(["build"]); ok("lite fullstack: pnpm install + build OK") } L53: catch (e) { bad(`pnpm install/build falhou: ${(e.message || "").slice(0, 80)}`) }
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

scripts/test-templates.mjsView on unpkg · L47
agents/scripts/checklist.pyView file
path = agents/scripts/checklist.py kind = build_helper sizeBytes = 7563 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

agents/scripts/checklist.pyView on unpkg
src/cli/create.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @gstack-vibehard/installer@3.22.0 matchedIdentity = npm:[redacted]:3.22.0 similarity = 0.417 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

src/cli/create.jsView on unpkg
agents/skills/graphify/SKILL.mdView file
492patternName = generic_password severity = medium line = 492 matchedText = result =...ies)
Medium
Secret Pattern

Hardcoded password in agents/skills/graphify/SKILL.md

agents/skills/graphify/SKILL.mdView on unpkg · L492

Findings

1 Critical3 High5 Medium5 Low
CriticalPrevious Version Dangerous Deltasrc/cli/create.js
HighChild Processagents/skills/writing-skills/render-graphs.js
HighShellscripts/test-e2e-lifecycle.mjs
HighRuntime Package Installscripts/test-templates.mjs
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperagents/scripts/checklist.py
MediumStructural Risk Force Deep Review
MediumSecret Patternagents/skills/graphify/SKILL.md
LowScripts Present
LowWeak Cryptoagents/skills/brainstorming/scripts/server.cjs
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings