registry  /  @srinivasa314/ovid  /  0.0.6

@srinivasa314/ovid@0.0.6

A minimal coding-agent layer on pi that records terminal+browser test videos onto PRs

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 12 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 8 file(s), 83.5 KB of source, external domains: cli.github.com, github.com

Source & flagged code

5 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.mjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.mjs
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
dist/runner/pw-config.jsView file
16try { L17: const mod = await import(pathToFileURL(userPath).href); L18: user = mod.default ?? {};
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/runner/pw-config.jsView on unpkg · L16
dist/cli.jsView file
24// src/run.ts L25: import { spawn } from "child_process"; L26: import { existsSync, readFileSync } from "fs"; ... L39: const configPath = existsSync(distCfg) ? distCfg : srcCfg; L40: const pwDir = dirname(require2.resolve("playwright/package.json")); L41: const pwBin = join(dirname(pwDir), ".bin", "playwright"); ... L44: const env = { L45: ...process.env, L46: OVID_PROJECT_ROOT: projectRoot, ... L55: const code = await new Promise((resolve) => { L56: const detached = process.platform !== "win32"; L57: const p = spawn(pwBin, args, {
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/cli.jsView on unpkg · L24
assets/fonts/JetBrainsMono-Regular.woff2View file
path = assets/fonts/JetBrainsMono-Regular.woff2 kind = high_entropy_blob sizeBytes = 21168 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

assets/fonts/JetBrainsMono-Regular.woff2View on unpkg

Findings

3 High4 Medium5 Low
HighInstall Time Lifecycle Scriptspackage.json
HighSandbox Evasion Gated Capabilitydist/cli.js
HighShips High Entropy Blobassets/fonts/JetBrainsMono-Regular.woff2
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requiredist/runner/pw-config.js
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings