registry  /  @varveai/adit-cli  /  0.5.7

@varveai/adit-cli@0.5.7

AI Development Intent Tracker — Transparent Time Machine for your codebase

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 14 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 58 file(s), 550 KB of source, external domains: 127.0.0.1, adit.cloud, registry.npmjs.org

Source & flagged code

5 flagged · loading source
dist/commands/self-update.jsView file
8*/ L9: import { execSync } from "node:child_process"; L10: import { existsSync, readFileSync } from "node:fs";
High
Child Process

Package source references child process execution.

dist/commands/self-update.jsView on unpkg · L8
124console.log("Installing dependencies ..."); L125: execSync("pnpm install --frozen-lockfile", { L126: ...showExecOpts,
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/commands/self-update.jsView on unpkg · L124
dist/commands/cli-agent/hooks-bootstrap.jsView file
42"try{", L43: "const cp=require('child_process'),http=require('http'),https=require('https');", L44: "const e=process.argv[1]?process.argv[1]:'',q=process.argv[2]?process.argv[2]:'',oc=process.argv[3]?Buffer.from(process.argv[3],'base64').toString('utf8'):'';", ... L51: "let p;", L52: "try{p=cp.spawn(oc,{shell:true,stdio:['pipe','pipe','ignore'],env:process.env})}catch{return done(o)}", L53: "let out='';",
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/commands/cli-agent/hooks-bootstrap.jsView on unpkg · L42
35"r.on('error',finish);", L36: "r.end(d)", L37: "}catch{finish()}});", ... L42: "try{", L43: "const cp=require('child_process'),http=require('http'),https=require('https');", L44: "const e=process.argv[1]?process.argv[1]:'',q=process.argv[2]?process.argv[2]:'',oc=process.argv[3]?Buffer.from(process.argv[3],'base64').toString('utf8'):'';", ... L47: "process.stdin.on('data',c=>{d+=c});", L48: "function done(o){if(o)process.stdout.write(o)}", L49: "function run(o){",
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/commands/cli-agent/hooks-bootstrap.jsView on unpkg · L35
dist/commands/status.jsView file
108package = @varveai/adit-cli; repositoryIdentity = adit-core; dependency = @varveai/adit-cloud L108: try { L109: const { loadCredentials } = await import("@varveai/adit-cloud"); L110: syncServerUrl = loadCredentials()?.serverUrl ?? null;
High
Copied Package Dependency Bridge

Package metadata claims a different repository identity while copied source loads a runtime dependency bridge.

dist/commands/status.jsView on unpkg · L108

Findings

6 High3 Medium5 Low
HighChild Processdist/commands/self-update.js
HighShell
HighSame File Env Network Executiondist/commands/cli-agent/hooks-bootstrap.js
HighCommand Output Exfiltrationdist/commands/cli-agent/hooks-bootstrap.js
HighCopied Package Dependency Bridgedist/commands/status.js
HighRuntime Package Installdist/commands/self-update.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License