registry  /  @jolli.ai/cli  /  0.99.5

@jolli.ai/cli@0.99.5

AI development process auto-documentation tool - generates structured commit summaries from Claude Code, Codex, Gemini, OpenCode, Cursor, and Copilot sessions

Static Scan Results

scanned 3h ago · by rust-scanner

Static analysis flagged 11 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 33 file(s), 2.44 MB of source, external domains: 127.0.0.1, auth.jolli.ai, cli.github.com, git-scm.com, github.com, www.eclipse.org, www.jolli.ai, www.w3.org

Source & flagged code

4 flagged · loading source
package.jsonView file
scripts.postinstall = node -e "require('fs').existsSync('dist/PostInstall.js') && require('child_process').spawnSync(process.execPath,['dist/PostInstall.js'],{stdio:'inherit'})"
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node -e "require('fs').existsSync('dist/PostInstall.js') && require('child_process').spawnSync(process.execPath,['dist/PostInstall.js'],{stdio:'inherit'})"
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
dist/graph-assets/vendor/elk.bundled.jsView file
6611*******************************************************************************/ L6612: var ELK = require('./elk-api.js')["default"]; L6613: var ELKNode = /*#__PURE__*/function (_ELK) {
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/graph-assets/vendor/elk.bundled.jsView on unpkg · L6611
dist/Api.jsView file
14import { basename as $e, dirname as O, isAbsolute as $t, join as $, parse as Yn, relative as vt, resolve as ve } from "node:path"; L15: import { createServer as ks } from "node:http"; L16: import { URL as Cs, fileURLToPath as Qn, pathToFileURL as Xn } from "node:url"; ... L36: headers: r, L37: body: JSON.stringify({ code: t }), L38: signal: AbortSignal.timeout(Ht) ... L48: try { L49: i = await s.json(); L50: } catch (a) { ... L235: Login failed:`, n instanceof Error ? n.message : n), console.log(` You can try again with 'jolli auth login'. L236: `), process.exitCode = 1; L237: }
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/Api.jsView on unpkg · L14

Findings

1 High5 Medium5 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requiredist/graph-assets/vendor/elk.bundled.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowWeak Cryptodist/Api.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings