registry  /  @x12i/xops  /  3.7.0

@x12i/xops@3.7.0

Repository operating layer for Node.js tools, releases, and code agents

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 12 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNativeBindingsNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 252 file(s), 1.11 MB of source, external domains: 127.0.0.1, api.bitbucket.org, api.github.com, aquasecurity.github.io, chatgpt.com, claude.ai, cli.github.com, gitbutler.com, github.com, gitlab.com, google.github.io, registry.npmjs.org, semgrep.dev

Source & flagged code

4 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.mjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.mjs
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
dist/scripts/renderPublishRunbook.jsView file
68`for pkgdir in ${pkgDirs.map((dir) => shellQuote(dir)).join(" ")}; do`, L69: ' name=$(node -p "require(process.argv[1]).name" "$pkgdir/package.json")', L70: ' local=$(node -p "require(process.argv[1]).version" "$pkgdir/package.json")',
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/scripts/renderPublishRunbook.jsView on unpkg · L68
dist/tools/seamlessTools.jsView file
1import { spawnSync } from "node:child_process"; L2: import { runCommand } from "../execution/runCommand.js"; ... L8: binary: "but", L9: installCommand: process.platform === "win32" L10: ? undefined L11: : ["sh", "-c", "curl -fsSL https://gitbutler.com/install.sh | sh"], L12: updateCommand: process.platform === "win32" ... L24: function autoInstallEnabled() { L25: return process.env.XOPS_AUTO_INSTALL_TOOLS !== "0" && process.env.XOPS_NO_AUTO_INSTALL_TOOLS !== "1"; L26: } ... L33: } L34: export async function ensureSeamlessToolInstalled(id, cwd = process.cwd()) {
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/tools/seamlessTools.jsView on unpkg · L1

Findings

2 High5 Medium5 Low
HighInstall Time Lifecycle Scriptspackage.json
HighSandbox Evasion Gated Capabilitydist/tools/seamlessTools.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requiredist/scripts/renderPublishRunbook.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings