registry  /  @lovinka/eve  /  0.2.2

@lovinka/eve@0.2.2

Terminal client for eve — chat TUI, priority-lane asks, live control plane, approvals.

Static Scan Results

scanned 3h ago · by rust-scanner

Static analysis completed at 93.0% confidence. No malicious behavior was detected; 8 low-signal pattern(s) were surfaced and cleared.

Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 51 file(s), 205 KB of source, external domains: eve.dev.lovinka.com, github.com, registry.npmjs.org

Source & flagged code

2 flagged · loading source
dist/chunk-gq9a79p4.jsView file
17// src/commands/setup.ts L18: import { spawnSync } from "node:child_process"; L19: import { existsSync, mkdirSync, readFileSync, writeFileSync } from "node:fs"; ... L32: The \`eve\` CLI (\`@lovinka/eve\`, source \`eve-ai-layer/packages/eve-cli\`) talks to the L33: eve agent at \`https://eve.dev.lovinka.com\`. Asks ride eve's **interactive priority L34: lane** when it is busy — they jump ahead of queued board/review work. ... L42: L43: - \`--json\` → single JSON object on stdout: L44: \`{status: "done"|"failed"|"waiting", answer, sessionId, consoleUrl, transport}\`. ... L126: writeFileSync(join(dir, "_eve"), ZSH_SCRIPT); L127: const zshrc = join(homedir(), ".zshrc"); L128: const current = existsSync(zshrc) ? readFileSync(zshrc, "utf8") : "";
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/chunk-gq9a79p4.jsView on unpkg · L17
dist/chunk-41knprr0.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @lovinka/eve@0.2.1 matchedIdentity = npm:QGxvdmlua2EvZXZl:0.2.1 similarity = 1.238 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/chunk-41knprr0.jsView on unpkg

Findings

1 High3 Medium4 Low
HighPrevious Version Dangerous Deltadist/chunk-41knprr0.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/chunk-gq9a79p4.js
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings