registry  /  @sigmashake/ssg  /  1.0.9

@sigmashake/ssg@1.0.9

AI Agent Governance CLI — evaluate tool calls against rules, block dangerous operations, and surface blocked commands

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 11 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkWebSocket
Supply chain
HighEntropyStringsMinifiedUrlStrings
Manifest
NoLicense
scanned 3 file(s), 1.35 MB of source, external domains: 127.0.0.1, 169.254.169.254, accounts.sigmashake.com, api.example.com, bun.sh, docs.sigmashake.com, github.com, hub.sigmashake.com, react.dev, sigmashake.com, www.w3.org

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = node ./bin/cleanup-globals.cjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
bin/ssg.cjsView file
6L7: const { execFileSync, spawnSync } = require("node:child_process"); L8: const path = require("node:path"); ... L10: L11: const ext = process.platform === "win32" ? ".exe" : ""; L12: const platformPkg = `@sigmashake/ssg-${process.platform}-${process.arch}`; ... L24: // install. L25: // b) default (walks UP from __dirname) — the nested copy at L26: // @sigmashake/ssg/node_modules/@sigmashake/ssg-<plat>-<arch>, which npm ... L44: try { L45: return JSON.parse(fs.readFileSync(pkgJsonPath, "utf8")).version; L46: } catch {
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

bin/ssg.cjsView on unpkg · L6

Findings

2 High3 Medium6 Low
HighInstall Time Lifecycle Scriptspackage.json
HighSandbox Evasion Gated Capabilitybin/ssg.cjs
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License