registry  /  @strvmarv/total-recall  /  4.0.3

@strvmarv/total-recall@4.0.3

Multi-tiered memory and knowledge base plugin for TUI coding assistants

Static Scan Results

scanned 1h ago · by rust-scanner

Static analysis flagged 13 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 21 file(s), 87.3 KB of source, external domains: github.com

Source & flagged code

5 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
binaries/linux-arm64/runtimes/vec0.soView file
path = binaries/linux-arm64/runtimes/vec0.so kind = native_binary sizeBytes = 156520 magicHex = [redacted]
Medium
Ships Native Binary

Package ships native binary artifacts.

binaries/linux-arm64/runtimes/vec0.soView on unpkg
hermes-plugin/provider.pyView file
path = hermes-plugin/provider.py kind = build_helper sizeBytes = 19597 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

hermes-plugin/provider.pyView on unpkg
scripts/fetch-binary.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @strvmarv/total-recall@4.0.2 matchedIdentity = npm:QHN0cnZtYXJ2L3RvdGFsLXJlY2FsbA:4.0.2 similarity = 0.810 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

scripts/fetch-binary.jsView on unpkg

Findings

2 High6 Medium5 Low
HighInstall Time Lifecycle Scriptspackage.json
HighPrevious Version Dangerous Deltascripts/fetch-binary.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
MediumShips Native Binarybinaries/linux-arm64/runtimes/vec0.so
MediumShips Build Helperhermes-plugin/provider.py
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings