registry  /  @hybridlabor-api/bdb-antigravity-skills  /  1.1.9

@hybridlabor-api/bdb-antigravity-skills@1.1.9

Optimized Antigravity skills and MCP pack for BDB DEV

Static Scan Results

scanned 3h ago · by rust-scanner

Static analysis flagged 18 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 491 file(s), 2.61 MB of source, external domains: api.apify.com, console.apify.com, prod.spline.design

Source & flagged code

12 flagged · loading source
mcps/unreal_mcp/.env.productionView file
patternName = blocked_file severity = critical matchedText = mcps/unreal_mcp/.env.production redactedSecretContext = secretLikeLines = 0 notes = no secret-like key/value lines found in sampled text
Critical
Critical Secret

Package contains a critical-looking secret pattern.

mcps/unreal_mcp/.env.productionView on unpkg
mcps/unreal_mcp/tests/test-runner.mjsView file
771async function runNpmBuild() { L772: const { spawn } = await import('node:child_process'); L773: await new Promise((resolve, reject) => {
High
Child Process

Package source references child process execution.

mcps/unreal_mcp/tests/test-runner.mjsView on unpkg · L771
mcps/unreal_mcp/src/tools/handlers/pipeline/pipeline-ubt-discovery.tsView file
6L7: const execAsync = util.promisify(exec); L8:
High
Shell

Package source references shell execution.

mcps/unreal_mcp/src/tools/handlers/pipeline/pipeline-ubt-discovery.tsView on unpkg · L6
mcps/unreal_mcp/src/utils/commands/command-validator.tsView file
35'import os', 'import subprocess', 'subprocess.', 'os.system', L36: 'exec(', 'eval(', '__import__', 'import sys', 'import importlib', L37: 'with open', 'open(', 'write(', 'read('
Low
Eval

Package source references a known benign dynamic code generation pattern.

mcps/unreal_mcp/src/utils/commands/command-validator.tsView on unpkg · L35
mcps/adobe_uxp_mcp/plugins/photoshop/index.jsView file
1const { app, core } = require("photoshop"); L2:
Medium
Dynamic Require

Package source references dynamic require/import behavior.

mcps/adobe_uxp_mcp/plugins/photoshop/index.jsView on unpkg · L1
mcps/unreal_mcp/src/automation/request-tracker.tsView file
16export class RequestTracker { L17: private pendingRequests = new Map<string, PendingRequest>(); L18: private coalescedRequests = new Map<string, Promise<AutomationBridgeResponseMessage>>();
Low
Weak Crypto

Package source references weak cryptographic algorithms.

mcps/unreal_mcp/src/automation/request-tracker.tsView on unpkg · L16
installer.jsView file
267try { L268: execSync('npm install --no-audit --no-fund', { cwd: targetFolder, stdio: 'ignore' }); L269: if (fs.existsSync(path.join(targetFolder, 'tsconfig.json'))) {
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

installer.jsView on unpkg · L267
mcps/unreal_mcp/scripts/package-plugin.batView file
path = mcps/unreal_mcp/scripts/package-plugin.bat kind = build_helper sizeBytes = 8688 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

mcps/unreal_mcp/scripts/package-plugin.batView on unpkg
skills/global_config/web-artifacts-builder/scripts/shadcn-components.tar.gzView file
path = skills/global_config/web-artifacts-builder/scripts/shadcn-components.tar.gz kind = high_entropy_blob sizeBytes = 19967 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

skills/global_config/web-artifacts-builder/scripts/shadcn-components.tar.gzView on unpkg
path = skills/global_config/web-artifacts-builder/scripts/shadcn-components.tar.gz kind = compressed_blob sizeBytes = 19967 magicHex = [redacted]
Medium
Ships Compressed Blob

Package ships compressed or archive-like blobs.

skills/global_config/web-artifacts-builder/scripts/shadcn-components.tar.gzView on unpkg
skills/global_config/playwright-skill/lib/helpers.jsView file
208patternName = generic_password severity = medium line = 208 matchedText = password...rd',
Medium
Secret Pattern

Hardcoded password in skills/global_config/playwright-skill/lib/helpers.js

skills/global_config/playwright-skill/lib/helpers.jsView on unpkg · L208
skills/global_legacy/playwright-skill/lib/helpers.jsView file
208patternName = generic_password severity = medium line = 208 matchedText = password...rd',
Medium
Secret Pattern

Hardcoded password in skills/global_legacy/playwright-skill/lib/helpers.js

skills/global_legacy/playwright-skill/lib/helpers.jsView on unpkg · L208

Findings

1 Critical4 High8 Medium5 Low
CriticalCritical Secretmcps/unreal_mcp/.env.production
HighChild Processmcps/unreal_mcp/tests/test-runner.mjs
HighShellmcps/unreal_mcp/src/tools/handlers/pipeline/pipeline-ubt-discovery.ts
HighRuntime Package Installinstaller.js
HighShips High Entropy Blobskills/global_config/web-artifacts-builder/scripts/shadcn-components.tar.gz
MediumDynamic Requiremcps/adobe_uxp_mcp/plugins/photoshop/index.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helpermcps/unreal_mcp/scripts/package-plugin.bat
MediumShips Compressed Blobskills/global_config/web-artifacts-builder/scripts/shadcn-components.tar.gz
MediumStructural Risk Force Deep Review
MediumSecret Patternskills/global_config/playwright-skill/lib/helpers.js
MediumSecret Patternskills/global_legacy/playwright-skill/lib/helpers.js
LowEvalmcps/unreal_mcp/src/utils/commands/command-validator.ts
LowWeak Cryptomcps/unreal_mcp/src/automation/request-tracker.ts
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings