registry  /  @tjsasakinpm/devflow  /  1.1.0

@tjsasakinpm/devflow@1.1.0

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 12 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 205 file(s), 1.24 MB of source, external domains: api.anthropic.com, api.openai.com, astral.sh, cli.github.com, devflow.io, github.com, img.shields.io, nodejs.org, www.w3.org

Source & flagged code

5 flagged · loading source
dist/core/audit-engine.jsView file
43category: "security", L44: description: "eval() or exec() usage detected — arbitrary code execution risk", L45: recommendation: "Replace eval()/exec() with safe alternatives (JSON.parse, structured parsing, or sandboxed evaluation)",
High
Child Process

Package source references child process execution.

dist/core/audit-engine.jsView on unpkg · L43
43category: "security", L44: description: "eval() or exec() usage detected — arbitrary code execution risk", L45: recommendation: "Replace eval()/exec() with safe alternatives (JSON.parse, structured parsing, or sandboxed evaluation)",
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/core/audit-engine.jsView on unpkg · L43
dist/kernel/orchestration/parallel-spawner.jsView file
161stdio: ["ignore", "pipe", "pipe"], L162: execArgv: [], // Don't pass --inspect etc. L163: });
High
Shell

Package source references shell execution.

dist/kernel/orchestration/parallel-spawner.jsView on unpkg · L161
dist/adapters/stacks/typescript/index.jsView file
69// Try vitest, jest, then npm test as fallback L70: const commands = ["npx vitest run", "npx jest", "npm test"]; L71: for (const cmd of commands) { ... L75: try { L76: execSync(`${toolName} --version 2>/dev/null`, { L77: cwd,
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/adapters/stacks/typescript/index.jsView on unpkg · L69
src/kernel/artifacts/tool-configs/verify-all.shView file
path = src/kernel/artifacts/tool-configs/verify-all.sh kind = build_helper sizeBytes = 3778 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

src/kernel/artifacts/tool-configs/verify-all.shView on unpkg

Findings

3 High4 Medium5 Low
HighChild Processdist/core/audit-engine.js
HighShelldist/kernel/orchestration/parallel-spawner.js
HighRuntime Package Installdist/adapters/stacks/typescript/index.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helpersrc/kernel/artifacts/tool-configs/verify-all.sh
MediumStructural Risk Force Deep Review
LowScripts Present
LowEvaldist/core/audit-engine.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings