registry  /  @xevy/cli  /  0.1.1

@xevy/cli@0.1.1

Xevy CLI — one command (`xevy setup`) installs the Xevy SDLC agent skills and the OAuth MCP server globally for Cursor, Claude Code, and 50+ agents. No API key required.

Static Scan Results

scanned 4h ago · by rust-scanner

Static analysis flagged 6 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetworkShell
Supply chain
UrlStrings
Manifest
NoLicense
scanned 1 file(s), 9.35 KB of source, external domains: xevy.ai, xevy.vyte.dev

Source & flagged code

1 flagged · loading source
bin/xevy.mjsView file
21*/ L22: import { spawnSync } from "node:child_process"; L23: import { createRequire } from "node:module"; ... L32: L33: const DEFAULT_BASE = "https://xevy.ai"; L34: const DEFAULT_AGENTS = ["cursor", "claude-code"]; L35: const isWindows = process.platform === "win32"; L36: L37: const PI_PACKAGE = "@mariozechner/pi-coding-agent"; L38: const PI_EXTENSION_DIR = path.join(os.homedir(), ".pi", "agent", "extensions"); L39: // pi extensions installed by `xevy pi` — file name + a marker string used to ... L47: try {
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

bin/xevy.mjsView on unpkg · L21

Findings

1 High2 Medium3 Low
HighSandbox Evasion Gated Capabilitybin/xevy.mjs
MediumNetwork
MediumEnvironment Vars
LowFilesystem
LowUrl Strings
LowNo License