registry  /  @vibecodeqa/cli  /  0.44.4

@vibecodeqa/cli@0.44.4

Code health scanner for the AI coding era. 34 checks, zero config, full report.

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 14 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 65 file(s), 628 KB of source, external domains: api.anthropic.com, api.github.com, api.vibecodeqa.online, biomejs.dev, bitbucket.org, choosealicense.com, github.com, gitlab.com, json.schemastore.org, registry.npmjs.org, vibecodeqa.online, www.w3.org

Source & flagged code

5 flagged · loading source
dist/monitor.jsView file
12import { watch, existsSync, mkdirSync, writeFileSync, readFileSync } from "node:fs"; L13: import { execFile, execSync } from "node:child_process"; L14: import { fileURLToPath } from "node:url";
High
Child Process

Package source references child process execution.

dist/monitor.jsView on unpkg · L12
dist/check-meta.jsView file
126risk: "These patterns represent the most commonly exploited vulnerabilities in web applications (OWASP Top 10). A single XSS or injection vulnerability can lead to account takeover... L127: recommendation: "Replace innerHTML with textContent or DOM APIs. Never use eval(). Use parameterized queries for SQL. Use crypto.randomUUID() instead of Math.random() for tokens. V... L128: deeperTools: ["semgrep", "eslint-plugin-security", "CodeQL"],
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/check-meta.jsView on unpkg · L126
dist/runners/duplication.jsView file
266function tryJscpd(cwd) { L267: // jscpd writes JSON to a file, not stdout. Use a temp output dir. L268: const tmpDir = join(cwd, ".vibe-check", "jscpd-tmp"); ... L287: try { L288: const data = JSON.parse(rawData); L289: if (!data.statistics)
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/runners/duplication.jsView on unpkg · L266
dist/cli.jsView file
15import { computeTrend, formatTrend } from "./trend.js"; L16: const pkg = JSON.parse(readFileSync(new URL("../package.json", import.meta.url), "utf-8")); L17: const VERSION = pkg.version; ... L280: try { L281: const { execSync } = require("node:child_process"); L282: const cmd = base === "HEAD" ? "git diff --name-only" : `git diff --name-only ${base}...HEAD`; L283: const stdout = execSync(cmd, { cwd, encoding: "utf-8", stdio: ["pipe", "pipe", "pipe"] }).trim(); L284: if (!stdout) ... L330: async function handleUpload(report, cwd, quietMode) { L331: const token = process.env.VCQA_TOKEN || process.env.GITHUB_TOKEN; L332: if (!token) { ... L349: try {
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/cli.jsView on unpkg · L15
dist/commands/fix.jsView file
54try { L55: execSync("npx biome check --write .", { cwd, stdio: "inherit", timeout: 30_000 }); L56: fixed++;
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/commands/fix.jsView on unpkg · L54

Findings

4 High3 Medium7 Low
HighChild Processdist/monitor.js
HighShell
HighSandbox Evasion Gated Capabilitydist/cli.js
HighRuntime Package Installdist/commands/fix.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvaldist/check-meta.js
LowWeak Cryptodist/runners/duplication.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings