registry  /  @rizom/brain  /  0.2.0-alpha.138

@rizom/brain@0.2.0-alpha.138

⚠ Under review

Brain runtime + CLI — scaffold, run, and manage AI brain instances

Static Scan Results

scanned 5d ago · by rust-scanner

Static analysis flagged 18 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsEvalFilesystemNativeBindingsNetwork
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
Manifest
WildcardDependency
scanned 12 file(s), 3.71 MB of source, external domains: api.cloudflare.com, api.hetzner.cloud, cdn.jsdelivr.net, example.com, fonts.googleapis.com, github.com, react.dev, reactjs.org, rizom.ai, tailwindcss.com, www.w3.org, www.w3ctech.com
Oversized source lightweight scan
dist/brain.js6.88 MB file, sampled 256 KB
FilesystemNetworkChildProcessEnvironmentVarsEvalNativeBindingsHighEntropyStringsUrlStringsapi.cloudflare.comapi.hetzner.cloudgithub.comrizom.ai
dist/ui/app.js13.7 MB file, sampled 256 KB
NetworkChildProcessHighEntropyStringsMinifiedUrlStringsgithub.comreact.devreactjs.org

Source & flagged code

7 flagged · loading source
dist/services.jsView file
42return `+str.trim()+`; L43: }());`;return eval(str)||{}}catch($){if(wrap!==!1&&/(unexpected|identifier)/i.test($.message))return parse(str,options,!1);throw SyntaxError($)}},stringify:function(){throw Error("... L44: * strip-bom-string <https://github.com/jonschlinkert/strip-bom-string> L45: * ... L51: `+J.delimiters[1],V=$.content;if(J.language)$.language=J.language;let Y=X.length;if(!s$.startsWith(V,X,Y))return a$($,J),$;if(V.charAt(Y)===X.slice(-1))return $;V=V.slice(Y);let W=... L52: `)$.content=$.content.slice(1)}if(a$($,J),J.sections===!0||typeof J.section==="function")RW($,J.section);return $}E1.engines=OW;E1.stringify=function($,G,J){if(typeof $==="string")... L53: `).join(`
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/services.jsView on unpkg · L42
42return `+str.trim()+`; L43: }());`;return eval(str)||{}}catch($){if(wrap!==!1&&/(unexpected|identifier)/i.test($.message))return parse(str,options,!1);throw SyntaxError($)}},stringify:function(){throw Error("... L44: * strip-bom-string <https://github.com/jonschlinkert/strip-bom-string>
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/services.jsView on unpkg · L42
dist/site.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @rizom/brain@0.2.0-alpha.137 matchedIdentity = npm:QHJpem9tL2JyYWlu:0.2.0-alpha.137 similarity = 0.917 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/site.jsView on unpkg
189</rss>`}var fI=p((ma0,$I)=>{class wI{constructor(w={}){if(!(w.maxSize&&w.maxSize>0))throw TypeError("`maxSize` must be a number greater than 0");if(typeof w.maxAge==="number"&&w.ma... L190: GFS4: `),console.error(w)};if(!c1[L2]){if(pO=global[L2]||[],BI(c1,pO),c1.close=function(w){function $(f,X){return w.call(c1,f,function(W){if(!W)zI();if(typeof X==="function")X.appl... L191: `).filter(Boolean))Y.log(` ${k}`)}return J()}return J(q)}if(Q===A)return J();if(Z&&Y.fileDependencies)Y.fileDependencies.add(Z);let B={...W,path:Q,request:F,ignoreSymlinks:!0,full...
High
Obfuscated Payload Loader

Source contains an obfuscator-style string-array loader that reconstructs and executes hidden code.

dist/site.jsView on unpkg · L189
327Defaulting to 2020, but this will stop working in the future.`)),h.ecmaVersion=11):h.ecmaVersion>=2015&&(h.ecmaVersion-=2009),h.allowReserved==null&&(h.allowReserved=h.ecmaVersion<... L328: `,z-1)+1,this.curLine=this.input.slice(0,this.lineStart).split(o).length):(this.pos=this.lineStart=0,this.curLine=1),this.type=v.eof,this.value=null,this.start=this.end=this.pos,th... L329: `),cooked:null}):z.value={raw:this.input.slice(this.start,this.end).replace(/\r\n?/g,`
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/site.jsView on unpkg · L327
dist/ui/app.jsView file
path = dist/ui/app.js kind = oversized_source_file sizeBytes = 14386018 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/ui/app.jsView on unpkg
dist/brain.jsView file
path = dist/brain.js kind = oversized_cli_entrypoint sizeBytes = 7219388 magicHex = [redacted]
Medium
Oversized Cli Entrypoint

Package contains an oversized executable-looking CLI entrypoint.

dist/brain.jsView on unpkg

Findings

1 Critical5 High6 Medium6 Low
CriticalPrevious Version Dangerous Deltadist/site.js
HighChild Process
HighSame File Env Network Executiondist/services.js
HighObfuscated Payload Loaderdist/site.js
HighObfuscated
HighOversized Source Filedist/ui/app.js
MediumDynamic Requiredist/site.js
MediumNetwork
MediumEnvironment Vars
MediumOversized Cli Entrypointdist/brain.js
MediumStructural Risk Force Deep Review
MediumWildcard Dependency
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvaldist/services.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings