registry  /  @momentiq/dark-factory-cli  /  3.0.1

@momentiq/dark-factory-cli@3.0.1

Dark Factory OSS CLI — multi-vendor adversarial critic orchestration (Cursor, Codex, Gemini, Grok) with min-complete-quorum aggregation and trusted-surface rebind

Static Scan Results

scanned 6h ago · by rust-scanner

Static analysis flagged 10 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 159 file(s), 1.61 MB of source, external domains: api.x.ai, cursor.com, docs.doppler.com, github.com, openrouter.ai

Source & flagged code

3 flagged · loading source
dist/mcp/tools/review-bypass.jsView file
200try { L201: const mod = (await import(loader.modulePath)); L202: const Ctor = mod[loader.className];
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/mcp/tools/review-bypass.jsView on unpkg · L200
dist/adapters/gemini-sdk.jsView file
32package = @momentiq/dark-factory-cli; repositoryIdentity = dark-factory; dependency = @google/genai L32: // time — this matches the testing posture of the cycle 322.1 retry tests. L33: import { ApiError, GoogleGenAI, } from "@google/genai"; L34: import { compileCriticPrompt } from "../prompt.js";
High
Copied Package Dependency Bridge

Package metadata claims a different repository identity while copied source loads a runtime dependency bridge.

dist/adapters/gemini-sdk.jsView on unpkg · L32
dist/cycle-tracker-sync/sync_cycle_trackers.pyView file
path = dist/cycle-tracker-sync/sync_cycle_trackers.py kind = build_helper sizeBytes = 48022 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

dist/cycle-tracker-sync/sync_cycle_trackers.pyView on unpkg

Findings

1 High5 Medium4 Low
HighCopied Package Dependency Bridgedist/adapters/gemini-sdk.js
MediumDynamic Requiredist/mcp/tools/review-bypass.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperdist/cycle-tracker-sync/sync_cycle_trackers.py
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings