registry  /  @shipshitdev/shipcode  /  0.2.0

@shipshitdev/shipcode@0.2.0

⚠ Under review

Autonomous AI coding pipeline. GitHub issues in, pull requests out.

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 13 finding(s) at 86.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 2 file(s), 1.04 MB of source, external domains: api.github.com, github.com, openrouter.ai

Source & flagged code

5 flagged · loading source
package.jsonView file
scripts.postinstall = node -e "try{require('node-pty')}catch(e){console.warn('[shipcode] node-pty not loadable; terminal features disabled')}"
Critical
Red Install Lifecycle Script

Install-time lifecycle script matches a deterministic static-gate block pattern.

package.jsonView on unpkg
scripts.postinstall = node -e "try{require('node-pty')}catch(e){console.warn('[shipcode] node-pty not loadable; terminal features disabled')}"
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
dist/program-2NTFQ6M7.jsView file
2777// ../../packages/agents/dist/cli-stdin-runner.js L2778: import { spawn } from "child_process"; L2779:
High
Child Process

Package source references child process execution.

dist/program-2NTFQ6M7.jsView on unpkg · L2777
4005// ../../packages/agents/dist/health-check.js L4006: var execAsync = promisify2(exec); L4007: var execFileAsync2 = promisify2(execFile2);
High
Shell

Package source references shell execution.

dist/program-2NTFQ6M7.jsView on unpkg · L4005
9752path: "feature-intake/plugin.json", L9753: content: '{\n "name": "feature-intake",\n "version": "1.1.0",\n "description": "Capture client requirements as PRD epics, sub-issues, and GitHub Projects kanban items.",\n "aut... L9754: }, ... L9756: path: "feature-intake/SKILL.md", L9757: content: '---\nname: feature-intake\ndescription: Capture a client or stakeholder feature request, turn it into a planner-ready PRD epic with scoped sub-issues, check for duplicate... L9758: }, ... L9764: path: "gh-project-board/scripts/setup-gh-project-board.mjs", L9765: content: "#!/usr/bin/env node\n\nimport { execFileSync } from 'node:child_process';\n\n// The dev-loop board-as-truth model: five human-facing columns. The AI-loop\n// sub-phases (... L9766: },
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/program-2NTFQ6M7.jsView on unpkg · L9752

Findings

1 Critical4 High3 Medium5 Low
CriticalRed Install Lifecycle Scriptpackage.json
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processdist/program-2NTFQ6M7.js
HighShelldist/program-2NTFQ6M7.js
HighCommand Output Exfiltrationdist/program-2NTFQ6M7.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License