registry  /  @vibgrate/cli  /  2026.703.3

@vibgrate/cli@2026.703.3

⚠ Under review

vg — local codebase intelligence CLI + MCP server for AI coding agents: deterministic code graph, drift reporting, and version-correct library docs (Apache-2.0)

Static Scan Results

scanned 2d ago · by rust-scanner

Static analysis flagged 16 finding(s) at 86.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 12 file(s), 874 KB of source, external domains: api.github.com, api.nuget.org, api.osv.dev, api.vibgrate.com, artifacthub.io, crates.io, cwe.mitre.org, github.com, hex.pm, hub.docker.com, openvex.dev, owasp.org, packages.ecosyste.ms, proxy.golang.org, pub.dev, pypi.org, raw.githubusercontent.com, registry.npmjs.org, registry.terraform.io, repo.packagist.org, rubygems.org, search.maven.org, spdx.org, vibgrate.com

Source & flagged code

9 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.mjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.mjs
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
dist/chunk-2PJRXVUW.jsView file
9import { parse } from 'yaml'; L10: import { execFile, spawn } from 'child_process'; L11: import * as fs2 from 'fs/promises';
High
Child Process

Package source references child process execution.

dist/chunk-2PJRXVUW.jsView on unpkg · L9
2334async function findPythonManifests(rootDir) { L2335: const { findFiles: findFiles2 } = await import('./fs-7KZ4F3SB.js'); L2336: return findFiles2(rootDir, (name) => PYTHON_MANIFEST_FILES.has(name) || /^requirements.*\.txt$/.test(name));
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/chunk-2PJRXVUW.jsView on unpkg · L2334
dist/cli.jsView file
1#!/usr/bin/env node L2: import { resolveDsn, resolveIngestHost, dashHostForIngestHost, availableRegionIds, createWorkspaceDsn, writeStoredCredentials, credentialsPath, findGitRoot, ensureGitignored, gitig... L3: import { resolvedGrammarFiles, grammarSetVersion } from './chunk-X5YT263H.js'; ... L13: import { Command, CommanderError, Option } from 'commander'; L14: import { execSync, spawn, execFileSync } from 'child_process'; L15: import chalk5 from 'chalk'; ... L21: function info(message = "") { L22: process.stderr.write(`${message} L23: `); ... L273: function rel(root) { L274: const r = path9.relative(process.cwd(), root); L275: return r === "" ? "." : r;
Critical
Credential Exfiltration

Source appears to send environment or credential material to an external endpoint.

dist/cli.jsView on unpkg · L1
1Trigger-reachable chain: manifest.bin -> dist/cli.js L1: #!/usr/bin/env node L2: import { resolveDsn, resolveIngestHost, dashHostForIngestHost, availableRegionIds, createWorkspaceDsn, writeStoredCredentials, credentialsPath, findGitRoot, ensureGitignored, gitig... L3: import { resolvedGrammarFiles, grammarSetVersion } from './chunk-X5YT263H.js'; ... L13: import { Command, CommanderError, Option } from 'commander'; L14: import { execSync, spawn, execFileSync } from 'child_process'; L15: import chalk5 from 'chalk'; ... L21: function info(message = "") { L22: process.stderr.write(`${message} L23: `); ... L273: function rel(root) { L274: const r = path9.relative(process.cwd(), root); L275: return r === "" ? "." : r;
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/cli.jsView on unpkg · L1
3113if (platform === "win32") { L3114: return `PowerShell: Remove-Item Env:${varName} | cmd.exe: set ${varName}=`; L3115: }
High
Shell

Package source references shell execution.

dist/cli.jsView on unpkg · L3113
1Cross-file remote execution chain: dist/cli.js spawns dist/chunk-J4DFLN2Q.js; helper contains network access plus dynamic code execution. L1: #!/usr/bin/env node L2: import { resolveDsn, resolveIngestHost, dashHostForIngestHost, availableRegionIds, createWorkspaceDsn, writeStoredCredentials, credentialsPath, findGitRoot, ensureGitignored, gitig... L3: import { resolvedGrammarFiles, grammarSetVersion } from './chunk-X5YT263H.js'; ... L13: import { Command, CommanderError, Option } from 'commander'; L14: import { execSync, spawn, execFileSync } from 'child_process'; L15: import chalk5 from 'chalk'; ... L21: function info(message = "") { L22: process.stderr.write(`${message} L23: `); ... L273: function rel(root) { L274: const r = path9.relative(process.cwd(), root); L275: return r === "" ? "." : r;
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/cli.jsView on unpkg · L1
grammars/tree-sitter-go.wasmView file
path = grammars/tree-sitter-go.wasm kind = wasm_module sizeBytes = 235957 magicHex = [redacted]
Medium
Ships Wasm Module

Package ships WebAssembly modules.

grammars/tree-sitter-go.wasmView on unpkg

Findings

2 Critical4 High6 Medium4 Low
CriticalCredential Exfiltrationdist/cli.js
CriticalTrigger Reachable Dangerous Capabilitydist/cli.js
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processdist/chunk-2PJRXVUW.js
HighShelldist/cli.js
HighCross File Remote Execution Contextdist/cli.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requiredist/chunk-2PJRXVUW.js
MediumNetwork
MediumEnvironment Vars
MediumShips Wasm Modulegrammars/tree-sitter-go.wasm
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings