registry  /  @memi-design/cli  /  2.1.1

@memi-design/cli@2.1.1

Interface understanding and design-system memory for AI coding agents: UX audits, Tailwind tokens, shadcn registries, MCP, and Agent Skills.

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 14 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNativeBindingsNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 270 file(s), 2.85 MB of source, external domains: 127.0.0.1, agenticui.net, api.anthropic.com, api.figma.com, api.github.com, cli.github.com, console.anthropic.com, design.penpot.app, example.com, github.com, linear.app, memoire.cv, raw.githubusercontent.com, react.dev, registry.npmjs.org, stripe.com, ui.shadcn.com, v0.dev, www.apple.com, www.figma.com, www.memoire.cv, www.npmjs.com, www.w3.org

Source & flagged code

5 flagged · loading source
dist/studio/design-system-trace.jsView file
1import { execFile } from "node:child_process"; L2: import { promisify } from "node:util";
High
Child Process

Package source references child process execution.

dist/studio/design-system-trace.jsView on unpkg · L1
dist/preview/server.jsView file
89stdio: "pipe", L90: shell: true, L91: });
High
Shell

Package source references shell execution.

dist/preview/server.jsView on unpkg · L89
86const previewDir = join(this.projectRoot, "preview"); L87: this.process = spawn("npx", ["vite", "--port", String(this.port)], { L88: cwd: previewDir,
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/preview/server.jsView on unpkg · L86
dist/research/design-package.jsView file
189interactions: ["hover-tooltip"], L190: sampleData: [{ label: metric.label || metric.field, value: metric.mean }], L191: tags: ["research-vibe-design", metric.id],
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/research/design-package.jsView on unpkg · L189
dist/utils/update-check.jsView file
14import { dirname, join } from "node:path"; L15: import { spawn } from "node:child_process"; L16: import { isStandaloneBinary } from "./runtime.js"; ... L18: export const PKG_NAME = "@memi-design/cli"; L19: const REGISTRY_URL = `https://registry.npmjs.org/${PKG_NAME}/latest`; L20: const CHECK_INTERVAL_MS = 24 * 60 * 60 * 1000; // once per day ... L25: function homeDir() { L26: return process.env.HOME || process.env.USERPROFILE || ""; L27: }
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/utils/update-check.jsView on unpkg · L14

Findings

4 High3 Medium7 Low
HighChild Processdist/studio/design-system-trace.js
HighShelldist/preview/server.js
HighSame File Env Network Executiondist/utils/update-check.js
HighRuntime Package Installdist/preview/server.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowWeak Cryptodist/research/design-package.js
LowFilesystem
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings