registry  /  @jvittechs/j  /  1.0.103

@jvittechs/j@1.0.103

A unified CLI tool for JV-IT TECHS developers to manage Jai1 Framework. Supports both `j` and `jai1` commands. Please contact TeamAI for usage instructions.

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 17 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 18 file(s), 1020 KB of source, external domains: api.example.com, example.com, github.com, nodejs.org, pypi.org, registry.npmjs.org, skills.sh, store.jai1.io

Source & flagged code

9 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
dist/cli-main-4O67NASR.jsView file
10351patternName = supabase_service_key severity = critical line = 10351 matchedText = $ jai1 u...w5c"
Critical
Critical Secret

Package contains a critical-looking secret pattern.

dist/cli-main-4O67NASR.jsView on unpkg · L10351
10351patternName = supabase_service_key severity = critical line = 10351 matchedText = $ jai1 u...w5c"
Critical
Secret Pattern

Supabase service role key (JWT) in dist/cli-main-4O67NASR.js

dist/cli-main-4O67NASR.jsView on unpkg · L10351
199cronstrue: "^2.50.0", L200: execa: "^9.6.1", L201: figlet: "^1.9.4",
High
Shell

Package source references shell execution.

dist/cli-main-4O67NASR.jsView on unpkg · L199
12396case "pnpm": L12397: devDepsCmd = `pnpm add -D ${pkgList}`; L12398: break; ... L12411: executeUpgrade(command) { L12412: execSync(command, { stdio: "inherit", env: { ...process.env, FORCE_COLOR: "1" } }); L12413: }
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/cli-main-4O67NASR.jsView on unpkg · L12396
49constructor() { L50: this.jai1Dir = join(homedir(), ".jai1"); L51: this.errorDir = join(this.jai1Dir, "errors"); ... L66: stack: err.stack, L67: exitCode: error instanceof Jai1Error ? error.exitCode : void 0, L68: details: context.details ... L91: const bytes = Buffer.byteLength(content, "utf-8"); L92: const entry = JSON.parse(content); L93: return { entry, bytes }; ... L136: L137: // package.json L138: var package_default = {
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/cli-main-4O67NASR.jsView on unpkg · L49
dist/chunk-V2TO2ADY.jsView file
3import { join } from "path"; L4: import { execSync } from "child_process"; L5: import { createHash } from "crypto";
High
Child Process

Package source references child process execution.

dist/chunk-V2TO2ADY.jsView on unpkg · L3
scripts/redmine-sync-issue.shView file
path = scripts/redmine-sync-issue.sh kind = build_helper sizeBytes = 1000 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

scripts/redmine-sync-issue.shView on unpkg

Findings

2 Critical4 High5 Medium6 Low
CriticalCritical Secretdist/cli-main-4O67NASR.js
CriticalSecret Patterndist/cli-main-4O67NASR.js
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processdist/chunk-V2TO2ADY.js
HighShelldist/cli-main-4O67NASR.js
HighRuntime Package Installdist/cli-main-4O67NASR.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperscripts/redmine-sync-issue.sh
MediumStructural Risk Force Deep Review
LowScripts Present
LowWeak Cryptodist/cli-main-4O67NASR.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings