registry  /  @shawnstack/quickforge  /  1.6.7

@shawnstack/quickforge@1.6.7

⚠ Under review

AI chat application with Agent access modes for local workspace tools. React + Vite + Tailwind CSS frontend, local Node.js storage server.

Static Scan Results

scanned 5h ago · by rust-scanner

Static analysis flagged 15 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedObfuscatedProtestwareUrlStrings
ManifestNo manifest risk signals triggered.
scanned 94 file(s), 4.90 MB of source, external domains: 127.0.0.1, aiplatform.googleapis.com, api.anthropic.com, api.deepseek.com, api.github.com, api.mistral.ai, api.openai.com, bit.ly, cdn.jsdelivr.net, docs.anthropic.com, docs.expo.dev, docs.mistral.ai, dummy.com, example.com, generativelanguage.googleapis.com, github.com, help.openai.com, json-schema.org, ns.adobe.com, open.bigmodel.cn, platform.claude.com, react.dev, registry.npmjs.org, rolldown.rs, www.w3.org, www.xfa.org
Oversized source lightweight scan
dist/assets/pi-web-ui-DFNE2m5b.js2.70 MB file, sampled 256 KB
ChildProcessHighEntropyStringsUrlStringsbit.lywww.w3.org

Source & flagged code

7 flagged · loading source
bin/quickforge.mjsView file
1#!/usr/bin/env node L2: import { spawn } from 'node:child_process' L3: import { promises as fs } from 'node:fs'
High
Child Process

Package source references child process execution.

bin/quickforge.mjsView on unpkg · L1
617const tailCmd = process.platform === 'win32' L618: ? `powershell.exe -NoProfile -Command "Get-Content -Path '${escapedLogFile}' -Wait -Tail 80"` L619: : `tail -n 80 -f '${escapedLogFile}'`
High
Shell

Package source references shell execution.

bin/quickforge.mjsView on unpkg · L617
dist/assets/pdf.worker.min-Cpi8b8z3.mjsView file
24* pdfjsBuild = 2cc809ade L25: */const e=!("object"!=typeof process||process+""!="[object process]"||process.versions.nw||process.versions.electron&&process.type&&"browser"!==process.type),t=[.001,0,0,.001,0,0],... L26: /*webpackIgnore: true*/
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/assets/pdf.worker.min-Cpi8b8z3.mjsView on unpkg · L24
24* pdfjsBuild = 2cc809ade L25: */const e=!("object"!=typeof process||process+""!="[object process]"||process.versions.nw||process.versions.electron&&process.type&&"browser"!==process.type),t=[.001,0,0,.001,0,0],... L26: /*webpackIgnore: true*/
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/assets/pdf.worker.min-Cpi8b8z3.mjsView on unpkg · L24
server/update-supervisor.mjsView file
89if (installResult.code !== 0) { L90: log(`npm install failed. code=${installResult.code} signal=${installResult.signal || ''}`) L91: process.exitCode = installResult.code || 1 ... L96: log(`Starting QuickForge server: ${process.execPath} ${[serverScript, ...serverArgs].join(' ')}`) L97: const child = spawn(process.execPath, [serverScript, ...serverArgs], { L98: cwd: serverCwd || undefined,
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

server/update-supervisor.mjsView on unpkg · L89
dist/assets/pi-web-ui-DFNE2m5b.jsView file
path = dist/assets/pi-web-ui-DFNE2m5b.js kind = oversized_source_file sizeBytes = 2826865 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/assets/pi-web-ui-DFNE2m5b.jsView on unpkg
server/utils/package-update.mjsView file
matchType = previous_version_dangerous_delta matchedPackage = @shawnstack/quickforge@1.5.6 matchedIdentity = npm:QHNoYXduc3RhY2svcXVpY2tmb3JnZQ:1.5.6 similarity = 0.809 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

server/utils/package-update.mjsView on unpkg

Findings

1 Critical4 High5 Medium5 Low
CriticalPrevious Version Dangerous Deltaserver/utils/package-update.mjs
HighChild Processbin/quickforge.mjs
HighShellbin/quickforge.mjs
HighRuntime Package Installserver/update-supervisor.mjs
HighOversized Source Filedist/assets/pi-web-ui-DFNE2m5b.js
MediumDynamic Requiredist/assets/pdf.worker.min-Cpi8b8z3.mjs
MediumNetwork
MediumEnvironment Vars
MediumProtestware
MediumStructural Risk Force Deep Review
LowEvaldist/assets/pdf.worker.min-Cpi8b8z3.mjs
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings