registry  /  @vitos-pizza/vitos-pizza  /  0.1.0

@vitos-pizza/vitos-pizza@0.1.0

Vito's Pizzeria — a Pi distribution (Garfield-approved)

Static Scan Results

scanned 4h ago · by rust-scanner

Static analysis flagged 9 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 121 file(s), 273 KB of source, external domains: api.firecrawl.dev, api.search.brave.com, api.tavily.com, mcp.exa.ai, r.jina.ai

Source & flagged code

2 flagged · loading source
package.jsonView file
dependencies changed=@vitos-pizza/agent-mode,@vitos-pizza/keybindings,@vitos-pizza/permission-system,@vitos-pizza/question,@vitos-pizza/session-title,@vitos-pizza/subagents,@vitos-pizza/ui-enhancements,@vitos-pizza/websearch
Critical
Manifest Confusion

Tarball package.json differs from the npm registry version manifest for scripts or dependency sets.

package.jsonView on unpkg
scripts.postinstall = node scripts/sync-pi-manifest.mjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg

Findings

1 Critical1 High3 Medium4 Low
CriticalManifest Confusionpackage.json
HighInstall Time Lifecycle Scriptspackage.json
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings