registry  /  @zephyrdeng/pi-review  /  0.8.1

@zephyrdeng/pi-review@0.8.1

Isolated AI-powered code and plan reviews from the command line

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 11 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 81 file(s), 565 KB of source, external domains: 127.0.0.1, evil.example, pi.dev

Source & flagged code

3 flagged · loading source
dist/panel-ui.jsView file
9import { randomUUID } from "node:crypto"; L10: import { fork } from "node:child_process"; L11: import { fileURLToPath } from "node:url";
High
Child Process

Package source references child process execution.

dist/panel-ui.jsView on unpkg · L9
dist/cli-exit.test.jsView file
16// `npx tsx --test`), so we don't double-register. Under vitest the worker's L17: // execArgv has no tsx, so fall back to the project-local tsx package which L18: // Node resolves from node_modules via `--import tsx`.
High
Shell

Package source references shell execution.

dist/cli-exit.test.jsView on unpkg · L16
dist/skill.jsView file
14function hasSkillsCli() { L15: const result = spawnSync("npx", ["skills", "--version"], { L16: encoding: "utf8",
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/skill.jsView on unpkg · L14

Findings

3 High3 Medium5 Low
HighChild Processdist/panel-ui.js
HighShelldist/cli-exit.test.js
HighRuntime Package Installdist/skill.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings