registry  /  @witchynibbles/archon  /  0.2.0

@witchynibbles/archon@0.2.0

Opt-in overlay for archon's shared-core orchestration.

Static Scan Results

scanned 3h ago · by rust-scanner

Static analysis flagged 13 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 188 file(s), 1.78 MB of source, external domains: api.openai.com, api.voyageai.com, claude.ai, www.w3.org

Source & flagged code

5 flagged · loading source
scripts/setup-archon.shView file
417patternName = generic_password severity = medium line = 417 matchedText = escaped_...}")"
Medium
Secret Pattern

Package contains a possible secret pattern.

scripts/setup-archon.shView on unpkg · L417
path = scripts/setup-archon.sh kind = build_helper sizeBytes = 14995 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

scripts/setup-archon.shView on unpkg
dist/review.jsView file
55const resolvedPath = path.isAbsolute(adapterModulePath) ? adapterModulePath : path.resolve(cwd, adapterModulePath); L56: const adapterModule = await import(pathToFileURL(resolvedPath).href); L57: const availableBackends = adapterModule.reviewIdentityAdapters && typeof adapterModule.reviewIdentityAdapters === "object" && !Array.isArray(adapterModule.reviewIdentityAdapters) ?...
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/review.jsView on unpkg · L55
dist/runtime/repo-markdown-indexer.jsView file
183sourceAnchor: section.sourceAnchor, L184: metadata: buildArtifactMetadata(input.relativePath, chunkIndex), L185: createdAt: (/* @__PURE__ */ new Date()).toISOString()
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/runtime/repo-markdown-indexer.jsView on unpkg · L183
dist/runtime.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @witchynibbles/archon@0.1.0 matchedIdentity = npm:QHdpdGNoeW5pYmJsZXMvYXJjaG9u:0.1.0 similarity = 0.908 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/runtime.jsView on unpkg

Findings

1 High6 Medium6 Low
HighPrevious Version Dangerous Deltadist/runtime.js
MediumSecret Patternscripts/setup-archon.sh
MediumDynamic Requiredist/review.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperscripts/setup-archon.sh
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowWeak Cryptodist/runtime/repo-markdown-indexer.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings