registry  /  @vibedrift/cli  /  0.14.8

@vibedrift/cli@0.14.8

This version is outdated — drift detectors and reports have improved substantially since. Upgrade: npm i -g @vibedrift/cli@latest (or run npx @vibedrift/cli@latest)

Ship agentic. Stay coherent. Self-checking code integrity for AI coding agents, in the loop via MCP.

Static Scan Results

scanned 8d ago · by rust-scanner

Static analysis flagged 15 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 6 file(s), 1.14 MB of source, external domains: img.shields.io, registry.npmjs.org, schemas.openxmlformats.org, thevibelang.org, vibedrift-api.fly.dev, vibedrift.ai

Source & flagged code

7 flagged · loading source
dist/mcp/server.jsView file
247}); L248: import { execFile } from "child_process"; L249: import { promisify } from "util";
High
Child Process

Package source references child process execution.

dist/mcp/server.jsView on unpkg · L247
dist/cli/index.jsView file
16242command: `npm i -g ${pkgSpec}`, L16243: options: { stdio: "inherit", shell: true } L16244: };
High
Shell

Package source references shell execution.

dist/cli/index.jsView on unpkg · L16242
80__export(git_metadata_exports, { L81: collectGitMetadata: () => collectGitMetadata, L82: getChangedFiles: () => getChangedFiles L83: }); L84: import { execFile } from "child_process"; L85: import { promisify } from "util"; ... L94: async function runGit(cwd, args) { L95: const { stdout } = await execFileP("git", args, { L96: cwd, ... L129: const buf = await readFile2(cachePath(rootDir), "utf8"); L130: const entry = JSON.parse(buf); L131: if (entry.headCommit !== head) return null;
High
Obfuscated Payload Loader

Source contains an obfuscator-style string-array loader that reconstructs and executes hidden code.

dist/cli/index.jsView on unpkg · L80
15999init_plan(); L16000: import { execFile as execFile2 } from "child_process"; L16001: import { promisify as promisify2 } from "util"; ... L16014: if ! command -v vibedrift >/dev/null 2>&1; then L16015: echo "vibedrift not on PATH; skipping drift check (npm i -g @vibedrift/cli)" >&2 L16016: exit 0
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/cli/index.jsView on unpkg · L15999
11180patternName = generic_password severity = medium line = 11180 matchedText = // NOTE:...s>"`
Medium
Secret Pattern

Hardcoded password in dist/cli/index.js

dist/cli/index.jsView on unpkg · L11180
11254id: "eval-usage", L11255: name: "eval() usage", L11256: pattern: /\beval\s*\(/g,
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/cli/index.jsView on unpkg · L11254
skills/vibedrift/scripts/vibedrift-tools.mjsView file
46try { L47: return await import("@vibedrift/cli/tools"); L48: } catch {
Medium
Dynamic Require

Package source references dynamic require/import behavior.

skills/vibedrift/scripts/vibedrift-tools.mjsView on unpkg · L46

Findings

4 High5 Medium6 Low
HighChild Processdist/mcp/server.js
HighShelldist/cli/index.js
HighObfuscated Payload Loaderdist/cli/index.js
HighRuntime Package Installdist/cli/index.js
MediumDynamic Requireskills/vibedrift/scripts/vibedrift-tools.mjs
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
MediumSecret Patterndist/cli/index.js
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvaldist/cli/index.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings