registry  /  @vectorplane/ctrl-cli  /  0.9.0

@vectorplane/ctrl-cli@0.9.0

Continuity CLI for teams that operate with AI every day.

Static Scan Results

scanned 21h ago · by rust-scanner

Static analysis flagged 9 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 75 file(s), 359 KB of source, external domains: 127.0.0.1, absolute-urls-only.invalid, api.ipify.org, app.vectorplane.ai, proxy-pn.vectorplane.ai

Source & flagged code

1 flagged · loading source
dist/commands/runner.jsView file
177package = @vectorplane/ctrl-cli; repositoryIdentity = vectorplane-ctrl-cli; dependency = ws L177: try { L178: WsCtor = (await import("ws")).WebSocket; L179: }
High
Copied Package Dependency Bridge

Package metadata claims a different repository identity while copied source loads a runtime dependency bridge.

dist/commands/runner.jsView on unpkg · L177

Findings

1 High3 Medium5 Low
HighCopied Package Dependency Bridgedist/commands/runner.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings