registry  /  @rizom/brain  /  0.2.0-alpha.145

@rizom/brain@0.2.0-alpha.145

⚠ Under review

Brain runtime + CLI — scaffold, run, and manage AI brain instances

Static Scan Results

scanned 2d ago · by rust-scanner

Static analysis flagged 18 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsEvalFilesystemNativeBindingsNetwork
Supply chain
HighEntropyStringsMinifiedObfuscatedProtestwareUrlStrings
ManifestNo manifest risk signals triggered.
scanned 12 file(s), 5.33 MB of source, external domains: api.cloudflare.com, api.hetzner.cloud, cdn.jsdelivr.net, example.com, fonts.googleapis.com, foo.com, github.com, json-schema.org, react.dev, reactjs.org, rizom.ai, tailwindcss.com, varlock.dev, www.w3.org, www.w3ctech.com
Oversized source lightweight scan
dist/brain.js7.14 MB file, sampled 256 KB
FilesystemNetworkChildProcessEnvironmentVarsNativeBindingsHighEntropyStringsUrlStringsProtestwareapi.cloudflare.comapi.hetzner.cloudgithub.comrizom.aivarlock.dev
dist/ui/app.js13.9 MB file, sampled 256 KB
NetworkChildProcessHighEntropyStringsMinifiedUrlStringsgithub.comreact.devreactjs.org

Source & flagged code

7 flagged · loading source
dist/services.jsView file
42return `+str.trim()+`; L43: }());`;return eval(str)||{}}catch($){if(wrap!==!1&&/(unexpected|identifier)/i.test($.message))return parse(str,options,!1);throw SyntaxError($)}},stringify:function(){throw Error("... L44: * strip-bom-string <https://github.com/jonschlinkert/strip-bom-string> L45: * ... L51: `+_.delimiters[1],J=$.content;if(_.language)$.language=_.language;let G=I.length;if(!eq.startsWith(J,I,G))return sq($,_),$;if(J.charAt(G)===I.slice(-1))return $;J=J.slice(G);let X=... L52: `)$.content=$.content.slice(1)}if(sq($,_),_.sections===!0||typeof _.section==="function")NZ($,_.section);return $}E$.engines=OZ;E$.stringify=function($,D,_){if(typeof $==="string")... L53: `).join(`
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/services.jsView on unpkg · L42
42return `+str.trim()+`; L43: }());`;return eval(str)||{}}catch($){if(wrap!==!1&&/(unexpected|identifier)/i.test($.message))return parse(str,options,!1);throw SyntaxError($)}},stringify:function(){throw Error("... L44: * strip-bom-string <https://github.com/jonschlinkert/strip-bom-string>
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/services.jsView on unpkg · L42
dist/site.jsView file
402Defaulting to 2020, but this will stop working in the future.`)),r.ecmaVersion=11):r.ecmaVersion>=2015&&(r.ecmaVersion-=2009),r.allowReserved==null&&(r.allowReserved=r.ecmaVersion<... L403: `,Q-1)+1,this.curLine=this.input.slice(0,this.lineStart).split(p).length):(this.pos=this.lineStart=0,this.curLine=1),this.type=_.eof,this.value=null,this.start=this.end=this.pos,th... L404: `),cooked:null}):Q.value={raw:this.input.slice(this.start,this.end).replace(/\r\n?/g,`
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/site.jsView on unpkg · L402
dist/plugins.jsView file
1// @bun L2: var WA=Object.create;var{getPrototypeOf:YA,defineProperty:PG,getOwnPropertyNames:PA}=Object;var HA=Object.prototype.hasOwnProperty;function wA($){return this[$]}var KA,OA,ND=($,U,G... L3: `).join(` L4: `+V),$.push(D+"m+"+_0.exports.humanize(this.diff)+"\x1B[0m")}else $[0]=EM()+U+" "+$[0]}function EM(){if(mP.inspectOpts.hideDate)return"";return new Date().toISOString()+" "}functio... L5: `)}function kM($){if($)process.env.DEBUG=$;else delete process.env.DEBUG}function xM(){return process.env.DEBUG}function bM($){$.inspectOpts={};let U=Object.keys(mP.inspectOpts);fo... L6: `).map((U)=>U.trim()).join(" ")};hP.O=function($){return this.inspectOpts.colors=this.useColors,A0.inspect($,this.inspectOpts)}});var pP=Z$((Ur,hV)=>{if(typeof process>"u"||process... L7: * is-extendable <https://github.com/jonschlinkert/is-extendable> L8: * ... L46: return `+str.trim()+`; L47: }());`;return eval(str)||{}}catch($){if(wrap!==!1&&/(unexpected|identifier)/i.test($.message))return parse(str,options,!1);throw SyntaxError($)}},stringify:function(){throw Error("... L48: * strip-bom-string <https://github.com/jonschlinkert/strip-bom-string> ... L187: `+F.slice(m+1);else $$+=F.slice(C);retur
High
Obfuscated Payload Loader

Source contains an obfuscator-style string-array loader that reconstructs and executes hidden code.

dist/plugins.jsView on unpkg · L1
dist/ui/app.jsView file
path = dist/ui/app.js kind = oversized_source_file sizeBytes = 14543892 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/ui/app.jsView on unpkg
dist/brain.jsView file
path = dist/brain.js kind = oversized_cli_entrypoint sizeBytes = 7481703 magicHex = [redacted]
Medium
Oversized Cli Entrypoint

Package contains an oversized executable-looking CLI entrypoint.

dist/brain.jsView on unpkg
dist/interfaces.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @rizom/brain@0.2.0-alpha.137 matchedIdentity = npm:QHJpem9tL2JyYWlu:0.2.0-alpha.137 similarity = 0.500 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/interfaces.jsView on unpkg

Findings

1 Critical5 High6 Medium6 Low
CriticalPrevious Version Dangerous Deltadist/interfaces.js
HighChild Process
HighSame File Env Network Executiondist/services.js
HighObfuscated Payload Loaderdist/plugins.js
HighObfuscated
HighOversized Source Filedist/ui/app.js
MediumDynamic Requiredist/site.js
MediumNetwork
MediumEnvironment Vars
MediumProtestware
MediumOversized Cli Entrypointdist/brain.js
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvaldist/services.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings