registry  /  @howaboua/pi-codex-conversion  /  2.1.7

@howaboua/pi-codex-conversion@2.1.7

Codex-oriented tool and prompt adapter for pi coding agent

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 12 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 198 file(s), 1.07 MB of source, external domains: api.openai.com, auth.openai.com, chatgpt.com, discord.com, github.com, registry.npmjs.org

Source & flagged code

4 flagged · loading source
dist/providers/openai-codex/node-runtime.jsView file
8}; L9: const dynamicImport = (specifier) => import(__rewriteRelativeImportExtension(specifier)); L10: let fsPromisesPromise;
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/providers/openai-codex/node-runtime.jsView on unpkg · L8
dist/ui/settings/links.jsView file
1import { spawn } from "node:child_process"; L2: export const GITHUB_URL = "https://github.com/IgorWarzocha/howaboua-pi-stuff/tree/main/packages/pi-codex-conversion"; L3: export const CHANGELOG_URL = `${GITHUB_URL}/CHANGELOG.md`; ... L6: export function openExternalUrl(url) { L7: const command = process.platform === "darwin" ? "open" : process.platform === "win32" ? "cmd" : "xdg-open"; L8: const args = process.platform === "win32" ? ["/c", "start", "", url] : [url];
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/ui/settings/links.jsView on unpkg · L1
src/tools/view-image/bin/win32-arm64/view_image.exeView file
path = src/tools/view-image/bin/win32-arm64/view_image.exe kind = native_binary sizeBytes = 1199616 magicHex = [redacted]
Medium
Ships Native Binary

Package ships native binary artifacts.

src/tools/view-image/bin/win32-arm64/view_image.exeView on unpkg
bin/apply_patch.cmdView file
path = bin/apply_patch.cmd kind = build_helper sizeBytes = 37 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

bin/apply_patch.cmdView on unpkg

Findings

1 High6 Medium5 Low
HighSandbox Evasion Gated Capabilitydist/ui/settings/links.js
MediumDynamic Requiredist/providers/openai-codex/node-runtime.js
MediumNetwork
MediumEnvironment Vars
MediumShips Native Binarysrc/tools/view-image/bin/win32-arm64/view_image.exe
MediumShips Build Helperbin/apply_patch.cmd
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings