registry  /  @rizom/brain  /  0.2.0-alpha.153

@rizom/brain@0.2.0-alpha.153

⚠ Under review

Brain runtime + CLI — scaffold, run, and manage AI brain instances

Static Scan Results

scanned 3h ago · by rust-scanner

Static analysis flagged 19 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsEvalFilesystemNativeBindingsNetwork
Supply chain
HighEntropyStringsMinifiedObfuscatedProtestwareTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 13 file(s), 6.71 MB of source, external domains: api.cloudflare.com, api.hetzner.cloud, cdn.jsdelivr.net, example.com, fonts.googleapis.com, foo.com, github.com, json-schema.org, react.dev, reactjs.org, rizom.ai, tailwindcss.com, varlock.dev, www.ibm.com, www.w3.org, www.w3ctech.com
Oversized source lightweight scan
dist/brain.js7.70 MB file, sampled 256 KB
FilesystemNetworkChildProcessEnvironmentVarsNativeBindingsHighEntropyStringsUrlStringsProtestwareapi.cloudflare.comapi.hetzner.cloudgithub.comrizom.aivarlock.dev
dist/ui/app.js13.9 MB file, sampled 256 KB
NetworkChildProcessHighEntropyStringsMinifiedUrlStringsgithub.comreact.devreactjs.org

Source & flagged code

7 flagged · loading source
dist/ui/cms-app.jsView file
266contains invisible/control Unicode U+200B (zero width space) `).at(-1);if(W&&W.trim().length>0)return`${Z}<U+200B>`}if(O21.test(q)&&!J.match(R21)){let W=Y.split(`
Critical
Trojan Source Unicode

Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

dist/ui/cms-app.jsView on unpkg · L266
375`&&Z.lineWrapping){if(Y)Y=x1.single(Y.main.anchor-1,Y.main.head-1);J={from:W.from,to:W.to,insert:p0.of([" "])}}if(J)return FO(Z,J,Y,H);else if(Y&&!CW(Y,W)){let z=!1,V="select";if(Z... L376: `))};if((p1.mac||p1.android)&&O.from==W-1&&/^\. ?$/.test(J.text)&&Z.contentDOM.getAttribute("autocorrect")=="off")O={from:H,to:z,insert:p0.of([J.text.replace("."," ")])};if(this.pe... L377: `+X.scrub(),q=this.advance(Y);if(q>-1&&q<Y.length)return this.complete(Z,J,q);return!1}finish(Z,X){if((this.stage==2||this.stage==3)&&xY(X.content,this.pos)==X.content.length)retur...
High
Child Process

Package source references child process execution.

dist/ui/cms-app.jsView on unpkg · L375
374`,q=Z.state.doc.line(q.number+(J?1:-1)),W=Z.bidiSpans(q),L=Z.visualLineSide(q,!J)}if(!V){if(!Y)return L;V=Y(O)}else if(!V(O))return z;z=L}}function Br(Z,X,J){let Y=Z.state.charCate... L375: `&&Z.lineWrapping){if(Y)Y=x1.single(Y.main.anchor-1,Y.main.head-1);J={from:W.from,to:W.to,insert:p0.of([" "])}}if(J)return FO(Z,J,Y,H);else if(Y&&!CW(Y,W)){let z=!1,V="select";if(Z... L376: `))};if((p1.mac||p1.android)&&O.from==W-1&&/^\. ?$/.test(J.text)&&Z.contentDOM.getAttribute("autocorrect")=="off")O={from:H,to:z,insert:p0.of([J.text.replace("."," ")])};if(this.pe... L377: `+X.scrub(),q=this.advance(Y);if(q>-1&&q<Y.length)return this.complete(Z,J,q);return!1}finish(Z,X){if((this.stage==2||this.stage==3)&&xY(X.content,this.pos)==X.content.length)retur... ... L380: `?"":X;return Z+J.length>this.to?J.slice(0,this.to-Z):J}prevLineEnd(){return this.atEnd?this.lineStart:this.lineStart-1}startContext(Z,X,J=0){this.block=pW.create(Z,J,this.lineStar... L381: `)q--;this.fragmentEnd=q?q-1:0}let J=this.cursor;if(!J)J=this.cursor=this.fragment.tree.cursor(),J.firstChild();let Y=Z+this.fragment.offset;while(J.to<=Y)if(!J.parent())return!1;f... L382: \${}
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/ui/cms-app.jsView on unpkg · L374
dist/services.jsView file
42return `+str.trim()+`; L43: }());`;return eval(str)||{}}catch($){if(wrap!==!1&&/(unexpected|identifier)/i.test($.message))return parse(str,options,!1);throw SyntaxError($)}},stringify:function(){throw Error("... L44: * strip-bom-string <https://github.com/jonschlinkert/strip-bom-string>
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/services.jsView on unpkg · L42
dist/ui/app.jsView file
path = dist/ui/app.js kind = oversized_source_file sizeBytes = 14544724 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/ui/app.jsView on unpkg
dist/brain.jsView file
path = dist/brain.js kind = oversized_cli_entrypoint sizeBytes = 8071684 magicHex = [redacted]
Medium
Oversized Cli Entrypoint

Package contains an oversized executable-looking CLI entrypoint.

dist/brain.jsView on unpkg
dist/interfaces.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @rizom/brain@0.2.0-alpha.137 matchedIdentity = npm:QHJpem9tL2JyYWlu:0.2.0-alpha.137 similarity = 0.500 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/interfaces.jsView on unpkg

Findings

1 Critical5 High6 Medium7 Low
CriticalTrojan Source Unicodedist/ui/cms-app.js
HighChild Processdist/ui/cms-app.js
HighSame File Env Network Executiondist/ui/cms-app.js
HighObfuscated
HighOversized Source Filedist/ui/app.js
HighPrevious Version Dangerous Deltadist/interfaces.js
MediumDynamic Require
MediumNetwork
MediumEnvironment Vars
MediumProtestware
MediumOversized Cli Entrypointdist/brain.js
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvaldist/services.js
LowFilesystem
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings