registry  /  @whittlelabs/sifter  /  0.16.0

@whittlelabs/sifter@0.16.0

Whittle Sifter: paired AI reviewer for Whittle Sift job pools.

Static Scan Results

scanned 3h ago · by rust-scanner

Static analysis flagged 9 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 1 file(s), 811 KB of source, external domains: api.anthropic.com, api.sift.stage.whittlelabs.com, api.sift.whittlelabs.com, jobs.whittlelabs.com, json-schema.org, keep.whittlelabs.com

Source & flagged code

2 flagged · loading source
bin.jsView file
960var EventEmitter = require("node:events").EventEmitter; L961: var childProcess = require("node:child_process"); L962: var path = require("node:path");
High
Child Process

Package source references child process execution.

bin.jsView on unpkg · L960
15717return new Promise((resolve, reject) => { L15718: const child = (0, child_process_1.spawn)("npm", ["install", "-g", packageSpec], { L15719: stdio: ["ignore", "pipe", "pipe"] ... L15728: else L15729: reject(new Error(`npm install -g exited ${code}: ${output.trim().slice(-500)}`)); L15730: });
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

bin.jsView on unpkg · L15717

Findings

2 High3 Medium4 Low
HighChild Processbin.js
HighRuntime Package Installbin.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License