registry  /  @varveai/adit-cli  /  1.0.1

@varveai/adit-cli@1.0.1

AI Development Intent Tracker — Transparent Time Machine for your codebase

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 13 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 77 file(s), 591 KB of source, external domains: 127.0.0.1, adit.cloud, registry.npmjs.org

Source & flagged code

5 flagged · loading source
dist/commands/self-update.jsView file
8*/ L9: import { execSync } from "node:child_process"; L10: import { existsSync, readFileSync } from "node:fs";
High
Child Process

Package source references child process execution.

dist/commands/self-update.jsView on unpkg · L8
124console.log("Installing dependencies ..."); L125: execSync("pnpm install --frozen-lockfile", { L126: ...showExecOpts,
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/commands/self-update.jsView on unpkg · L124
dist/commands/cli-agent/cli-process.jsView file
79* Terminate a spawned CLI, including its descendants on Windows. `.cmd`/`.bat` L80: * shims run under a cmd.exe shell, so killing only the direct child leaves the L81: * real CLI (e.g. claude.exe) alive and still reading the console — which is
High
Shell

Package source references shell execution.

dist/commands/cli-agent/cli-process.jsView on unpkg · L79
dist/commands/cli-agent/claude/hooks-bootstrap.jsView file
17"try{", L18: "const cp=require('child_process'),http=require('http'),https=require('https');", L19: "const e=process.argv[1]?process.argv[1]:'',q=process.argv[2]?process.argv[2]:'',oc=process.argv[3]?Buffer.from(process.argv[3],'base64').toString('utf8'):'';", ... L26: "let p;", L27: "try{p=cp.spawn(oc,{shell:true,stdio:['pipe','pipe','ignore'],env:process.env})}catch{return done(o)}", L28: "let out='';",
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/commands/cli-agent/claude/hooks-bootstrap.jsView on unpkg · L17
17"try{", L18: "const cp=require('child_process'),http=require('http'),https=require('https');", L19: "const e=process.argv[1]?process.argv[1]:'',q=process.argv[2]?process.argv[2]:'',oc=process.argv[3]?Buffer.from(process.argv[3],'base64').toString('utf8'):'';", ... L22: "process.stdin.on('data',c=>{d+=c});", L23: "function done(o){if(o)process.stdout.write(o)}", L24: "function run(o){",
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/commands/cli-agent/claude/hooks-bootstrap.jsView on unpkg · L17

Findings

5 High3 Medium5 Low
HighChild Processdist/commands/self-update.js
HighShelldist/commands/cli-agent/cli-process.js
HighSame File Env Network Executiondist/commands/cli-agent/claude/hooks-bootstrap.js
HighCommand Output Exfiltrationdist/commands/cli-agent/claude/hooks-bootstrap.js
HighRuntime Package Installdist/commands/self-update.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License