registry  /  @skill-map/cli  /  0.74.0

@skill-map/cli@0.74.0

⚠ Under review

skill-map reference implementation — kernel + CLI + adapters.

Static Scan Results

scanned 10d ago · by rust-scanner

Static analysis flagged 17 finding(s) at 86.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedObfuscatedTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 44 file(s), 4.75 MB of source, external domains: agentskills.io, angular.dev, antigravity.google, browser.sentry-cdn.com, code.claude.com, developers.codex.com, docs.rs, docs.sentry.io, eu.i.posthog.com, example.com, fonts.googleapis.com, github.com, json-schema.org, nodejs.org, o447951.ingest.sentry.io, opencode.ai, registry.npmjs.org, sentry.io, skill-map.ai, spotlightjs.com, sqlitebrowser.org, www.npmjs.com, www.w3.org, yandex.com

Source & flagged code

7 flagged · loading source
dist/ui/chunk-3ANNEMV4.jsView file
10patternName = generic_password severity = medium line = 10 matchedText = Reason: ...ion.
Medium
Secret Pattern

Package contains a possible secret pattern.

dist/ui/chunk-3ANNEMV4.jsView on unpkg · L10
dist/ui/chunk-6FGV5O5J.jsView file
1import{a as S,b as z,e as vt,f as Fe,h as Y,i as me,j as ne}from"./chunk-5RNLC6V4.js";import{H as E,K as Tt}from"./chunk-EJVWTBMV.js";import{a as fe,d as Et}from"./chunk-ZRJ5ZCFR.j...
High
Child Process

Package source references child process execution.

dist/ui/chunk-6FGV5O5J.jsView on unpkg · L1
dist/ui/chunk-EVNCL7FV.jsView file
1import{a as Yn,b as Xn,d as Bv,e as Vv,f as zv,g as Gv,h as jv,i as ho}from"./chunk-3U4QZKU2.js";import{A as tb,B as nb,C as ib,D as ob,E as Zn,J as rb,L as ab,M as sb,N as Uh,O as... L2: .p-datatable {
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/ui/chunk-EVNCL7FV.jsView on unpkg · L1
dist/index.jsView file
2786contains invisible/control Unicode U+FEFF (zero width no-break space) if (/^<U+FEFF>---\r?\n[\s\S]*?[A-Za-z0-9_-]+\s*:/.test(body)) {
Critical
Trojan Source Unicode

Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

dist/index.jsView on unpkg · L2786
Trigger-reachable chain: manifest.exports -> dist/index.js Reachable file contains a blocking source-risk pattern.
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/index.jsView on unpkg
dist/cli.jsView file
208Cross-file remote execution chain: dist/cli.js spawns dist/index.js; helper contains network access plus dynamic code execution. L208: ...event.jobId !== void 0 ? { jobId: event.jobId } : {}, L209: data: event.data L210: } ... L249: L250: // package.json L251: var package_default = { ... L256: type: "module", L257: homepage: "https://skill-map.ai", L258: repository: { ... L317: "pretest:coverage:html": "tsup", L318: test: "tsc --noEmit && SKILL_MAP_TELEMETRY=0 SM_NO_UPDATE_CHECK=1 node --import tsx --test --test-reporter=./scripts/test-reporter.js --test-reporter-destination=stdout '__tests__/... L319: "test:ci": "FORCE_COLOR=1 SKILL_MAP_TELEMETRY=0 SM_NO_UPDATE_CHECK=1 node --import tsx --test --test-reporter=./scripts/test-reporter.js --test-reporter-destination=stdout '__tests...
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/cli.jsView on unpkg · L208
dist/ui/media/fa-brands-400-AHOAZHCU.woff2View file
path = dist/ui/media/fa-brands-400-AHOAZHCU.woff2 kind = high_entropy_blob sizeBytes = 110088 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

dist/ui/media/fa-brands-400-AHOAZHCU.woff2View on unpkg

Findings

2 Critical4 High5 Medium6 Low
CriticalTrojan Source Unicodedist/index.js
CriticalTrigger Reachable Dangerous Capabilitydist/index.js
HighChild Processdist/ui/chunk-6FGV5O5J.js
HighShell
HighCross File Remote Execution Contextdist/cli.js
HighShips High Entropy Blobdist/ui/media/fa-brands-400-AHOAZHCU.woff2
MediumSecret Patterndist/ui/chunk-3ANNEMV4.js
MediumDynamic Requiredist/ui/chunk-EVNCL7FV.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings