registry  /  @pellux/goodvibes-tui  /  1.16.0

@pellux/goodvibes-tui@1.16.0

⚠ Under review

Terminal-native GoodVibes product for coding, operations, automation, knowledge, channels, and daemon-backed control-plane workflows.

Static Scan Results

scanned 13m ago · by rust-scanner

Static analysis flagged 22 finding(s) at 97.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.; source matched previously finalized malicious package; routed for review; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 570 file(s), 4.81 MB of source, external domains: 127.0.0.1, 192.168.0.85, 192.168.1.50, api.github.com, astral.sh, bluebubbles.local, bun.sh, cloud.debian.org, daemon.example.com, deno.land, discord.com, example.com, github.com, goodvibes-batch-worker.account.workers.dev, goodvibes.sh, homeassistant.local, imessage-bridge.local, install.duckdb.org, matrix.example.com, mattermost.example.com, ntfy.sh, signal-bridge.local, slack.com, smba.trafficmanager.net

Source & flagged code

14 flagged · loading source
package.jsonView file
scripts.postinstall = bun scripts/postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.preinstall = sh scripts/check-bun.sh
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
scripts.postinstall = bun scripts/postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
src/panels/modals/pairing-modal.tsView file
156patternName = generic_password severity = medium line = 156 matchedText = url: 'ht...ui',
Medium
Secret Pattern

Package contains a possible secret pattern.

src/panels/modals/pairing-modal.tsView on unpkg · L156
bin/launcher-support.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @pellux/goodvibes-tui@1.7.0 matchedIdentity = npm:QHBlbGx1eC9nb29kdmliZXMtdHVp:1.7.0 similarity = 0.483 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

bin/launcher-support.jsView on unpkg
3import { createRequire } from 'node:module'; L4: import { spawnSync } from 'node:child_process'; L5: import { dirname, join } from 'node:path';
High
Child Process

Package source references child process execution.

bin/launcher-support.jsView on unpkg · L3
src/input/commands/hooks-runtime.tsView file
120} L121: await workbench.import(path, strategy); L122: ctx.print(`Imported managed hooks from ${path} using ${strategy} strategy.`);
Medium
Dynamic Require

Package source references dynamic require/import behavior.

src/input/commands/hooks-runtime.tsView on unpkg · L120
src/verification/live-verifier.tsView file
89} L90: return `http://127.0.0.1:${port}`; L91: } ... L94: return new Promise((resolveCommand) => { L95: const child = spawn(command, args, { L96: cwd, L97: env: { ...process.env, NO_COLOR: '1' }, L98: stdio: ['ignore', 'pipe', 'pipe'],
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

src/verification/live-verifier.tsView on unpkg · L89
src/runtime/sandbox-public-gaps.tsView file
2import { dirname, resolve } from 'node:path'; L3: import { spawnSync } from 'node:child_process'; L4: import { ... L191: backend: 'local', L192: command: process.env.SHELL || 'bash', L193: args: ['-lc', `echo "goodvibes sandbox ${profile.id}: ${label}"`], ... L207: readonly status: number | null; L208: readonly stdout: string; L209: readonly stderr: string; ... L367: const authorizedKeys = publicKey L368: ? ` ssh_authorized_keys:\n - ${publicKey}\n` L369: : ' # Generate keys/goodvibes_qemu_ed25519.pub before rebuilding nocloud.iso.\n';
Critical
Persistence Backdoor

Source writes persistence or remote-access backdoor material.

src/runtime/sandbox-public-gaps.tsView on unpkg · L2
scripts/check-bun.shView file
path = scripts/check-bun.sh kind = build_helper sizeBytes = 461 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

scripts/check-bun.shView on unpkg
src/input/commands/platform-sandbox-qemu.tsView file
matchType = normalized_sha256 matchedPackage = @pellux/goodvibes-tui@0.29.0 matchedPath = src/input/commands/platform-sandbox-qemu.ts matchedIdentity = npm:QHBlbGx1eC9nb29kdmliZXMtdHVp:0.29.0 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

src/input/commands/platform-sandbox-qemu.tsView on unpkg
src/panels/builtin-modals.tsView file
212patternName = generic_password severity = medium line = 212 matchedText = if (line...m();
Medium
Secret Pattern

Hardcoded password in src/panels/builtin-modals.ts

src/panels/builtin-modals.tsView on unpkg · L212
src/runtime/onboarding/apply.tsView file
91patternName = generic_password severity = medium line = 91 matchedText = if (line...th);
Medium
Secret Pattern

Hardcoded password in src/runtime/onboarding/apply.ts

src/runtime/onboarding/apply.tsView on unpkg · L91
src/daemon/cli.tsView file
74patternName = generic_password severity = medium line = 74 matchedText = return l...m();
Medium
Secret Pattern

Hardcoded password in src/daemon/cli.ts

src/daemon/cli.tsView on unpkg · L74

Findings

2 Critical5 High11 Medium4 Low
CriticalPersistence Backdoorsrc/runtime/sandbox-public-gaps.ts
CriticalPrevious Version Dangerous Deltabin/launcher-support.js
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processbin/launcher-support.js
HighShell
HighSame File Env Network Executionsrc/verification/live-verifier.ts
HighKnown Malware Source Similaritysrc/input/commands/platform-sandbox-qemu.ts
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumSecret Patternsrc/panels/modals/pairing-modal.ts
MediumDynamic Requiresrc/input/commands/hooks-runtime.ts
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperscripts/check-bun.sh
MediumStructural Risk Force Deep Review
MediumSecret Patternsrc/panels/builtin-modals.ts
MediumSecret Patternsrc/runtime/onboarding/apply.ts
MediumSecret Patternsrc/daemon/cli.ts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings