registry  /  @xevy/cli  /  0.1.2

@xevy/cli@0.1.2

Xevy CLI — `xevy setup` installs the pi agent + the Xevy pi extension and stores your API key; `xevy` opens pi with it.

Static Scan Results

scanned 4h ago · by rust-scanner

Static analysis flagged 6 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetworkShell
Supply chain
UrlStrings
Manifest
NoLicense
scanned 1 file(s), 9.29 KB of source, external domains: xevy.ai, xevy.vyte.dev

Source & flagged code

1 flagged · loading source
bin/xevy.mjsView file
14*/ L15: import { spawnSync } from "node:child_process"; L16: import fs from "node:fs"; ... L24: L25: const DEFAULT_BASE = "https://xevy.ai"; L26: const isWindows = process.platform === "win32"; L27: ... L31: // Where `xevy setup` installs the extension and `xevy` loads it from. L32: const XEVY_EXTENSIONS_DIR = path.join(os.homedir(), ".xevy", "extensions"); L33: const XEVY_EXTENSION_FILE = "xevy.ts"; ... L37: const CREDENTIALS_DIR = path.join( L38: process.env.XDG_CONFIG_HOME || path.join(os.homedir(), ".config"),
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

bin/xevy.mjsView on unpkg · L14

Findings

1 High2 Medium3 Low
HighSandbox Evasion Gated Capabilitybin/xevy.mjs
MediumNetwork
MediumEnvironment Vars
LowFilesystem
LowUrl Strings
LowNo License