registry  /  @vibedrift/cli  /  0.15.0

@vibedrift/cli@0.15.0

Ship agentic. Stay coherent. Self-checking code integrity for AI coding agents, in the loop via MCP.

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 15 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 6 file(s), 1.22 MB of source, external domains: img.shields.io, registry.npmjs.org, schemas.openxmlformats.org, thevibelang.org, vibedrift-api.fly.dev, vibedrift.ai

Source & flagged code

7 flagged · loading source
dist/render.jsView file
969{ regex: /execSync\s*\(/, label: "sync command execution", severity: "error", category: "command_injection" }, L970: { regex: /child_process/, label: "child process", severity: "error", category: "command_injection" }, L971: { regex: /os\.system\s*\(/, label: "OS system call", severity: "error", category: "command_injection" },
High
Child Process

Package source references child process execution.

dist/render.jsView on unpkg · L969
dist/cli/index.jsView file
16881command: `npm i -g ${pkgSpec}`, L16882: options: { stdio: "inherit", shell: true } L16883: };
High
Shell

Package source references shell execution.

dist/cli/index.jsView on unpkg · L16881
80__export(git_metadata_exports, { L81: collectGitMetadata: () => collectGitMetadata, L82: getChangedFiles: () => getChangedFiles L83: }); L84: import { execFile } from "child_process"; L85: import { promisify } from "util"; ... L94: async function runGit(cwd, args) { L95: const { stdout } = await execFileP("git", args, { L96: cwd, ... L129: const buf = await readFile2(cachePath(rootDir), "utf8"); L130: const entry = JSON.parse(buf); L131: if (entry.headCommit !== head) return null;
High
Obfuscated Payload Loader

Source contains an obfuscator-style string-array loader that reconstructs and executes hidden code.

dist/cli/index.jsView on unpkg · L80
16638init_plan(); L16639: import { execFile as execFile2 } from "child_process"; L16640: import { promisify as promisify2 } from "util"; ... L16653: if ! command -v vibedrift >/dev/null 2>&1; then L16654: echo "vibedrift not on PATH; skipping drift check (npm i -g @vibedrift/cli)" >&2 L16655: exit 0
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/cli/index.jsView on unpkg · L16638
11732patternName = generic_password severity = medium line = 11732 matchedText = // NOTE:...s>"`
Medium
Secret Pattern

Hardcoded password in dist/cli/index.js

dist/cli/index.jsView on unpkg · L11732
11809id: "eval-usage", L11810: name: "eval() usage", L11811: pattern: /\beval\s*\(/g,
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/cli/index.jsView on unpkg · L11809
skills/vibedrift/scripts/vibedrift-tools.mjsView file
46try { L47: return await import("@vibedrift/cli/tools"); L48: } catch {
Medium
Dynamic Require

Package source references dynamic require/import behavior.

skills/vibedrift/scripts/vibedrift-tools.mjsView on unpkg · L46

Findings

4 High5 Medium6 Low
HighChild Processdist/render.js
HighShelldist/cli/index.js
HighObfuscated Payload Loaderdist/cli/index.js
HighRuntime Package Installdist/cli/index.js
MediumDynamic Requireskills/vibedrift/scripts/vibedrift-tools.mjs
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
MediumSecret Patterndist/cli/index.js
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvaldist/cli/index.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings