registry  /  @liumir/lmcode  /  0.9.5

@liumir/lmcode@0.9.5

A terminal-native AI agent for builders

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 15 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 17 file(s), 1.18 MB of source, external domains: developer.mozilla.org, docs.expo.dev, dom.spec.whatwg.org, fetch.spec.whatwg.org, gitforwindows.org, github.com, html.spec.whatwg.org, jimmy.warting.se, w3c.github.io, www.apache.org, www.w3.org
Oversized source lightweight scan
dist/app-5j7f7tTI.mjs4.65 MB file, sampled 256 KB
FilesystemNetworkChildProcessEnvironmentVarsCryptoShellDynamicRequireHighEntropyStringsUrlStringsdocs.expo.devgitforwindows.org
dist/typescript-bYZQXkZW.mjs7.56 MB file, sampled 256 KB
FilesystemNetworkChildProcessDynamicRequireHighEntropyStringsUrlStringswww.apache.org

Source & flagged code

7 flagged · loading source
package.jsonView file
scripts.preinstall = node -e "console.log('\n📦 正在安装 lmcode,请稍候...\n')"
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.preinstall = node -e "console.log('\n📦 正在安装 lmcode,请稍候...\n')"
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.mjs
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
dist/esm-4IzxhvVw.mjsView file
5510patternName = generic_password severity = medium line = 5510 matchedText = password...d]",
Medium
Secret Pattern

Package contains a possible secret pattern.

dist/esm-4IzxhvVw.mjsView on unpkg · L5510
icon.icoView file
path = icon.ico kind = high_entropy_blob sizeBytes = 52489 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

icon.icoView on unpkg
dist/typescript-bYZQXkZW.mjsView file
path = dist/typescript-bYZQXkZW.mjs kind = oversized_source_file sizeBytes = 7923441 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/typescript-bYZQXkZW.mjsView on unpkg
path = dist/typescript-bYZQXkZW.mjs kind = oversized_cli_entrypoint sizeBytes = 7923441 magicHex = [redacted]
Medium
Oversized Cli Entrypoint

Package contains an oversized executable-looking CLI entrypoint.

dist/typescript-bYZQXkZW.mjsView on unpkg

Findings

3 High8 Medium4 Low
HighInstall Time Lifecycle Scriptspackage.json
HighShips High Entropy Blobicon.ico
HighOversized Source Filedist/typescript-bYZQXkZW.mjs
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumSecret Patterndist/esm-4IzxhvVw.mjs
MediumDynamic Require
MediumNetwork
MediumEnvironment Vars
MediumOversized Cli Entrypointdist/typescript-bYZQXkZW.mjs
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings