registry  /  ai.libx.js  /  0.18.5

ai.libx.js@0.18.5

⚠ Under review

Unified API bridge for various AI models (LLMs, image/video generation, TTS, STT) - stateless, edge-compatible

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 12 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 108 file(s), 753 KB of source, external domains: 127.0.0.1, ai.google.dev, ai.libx.js, api.ai21.com, api.anthropic.com, api.cloudflare.com, api.cohere.ai, api.deepseek.com, api.groq.com, api.inceptionlabs.ai, api.mistral.ai, api.moonshot.ai, api.openai.com, api.x.ai, cursor.com, developers.cloudflare.com, docs.anthropic.com, docs.x.ai, generativelanguage.googleapis.com, openrouter.ai, upload.wikimedia.org

Source & flagged code

4 flagged · loading source
build/adapters/cursor-isolation.jsView file
13exports.prepareIsolation = prepareIsolation; L14: const node_child_process_1 = require("node:child_process"); L15: const node_fs_1 = require("node:fs"); ... L38: try { L39: const p = (0, node_child_process_1.execFileSync)('/usr/bin/env', ['node', '-e', 'process.stdout.write(process.execPath)'], { encoding: 'utf8' }).trim(); L40: if (p && (0, node_fs_1.existsSync)(p)) ... L49: for (let i = 0; i < 24; i++) { L50: const pj = (0, node_path_1.join)(d, 'package.json'); L51: if ((0, node_fs_1.existsSync)(pj)) { L52: try { L53: if ((_a = JSON.parse((0, node_fs_1.readFileSync)(pj, 'utf8'))) === null || _a === void 0 ? void 0 : _a.name) L54: return d;
Critical
Reverse Shell

Source matches reverse-shell style process and socket wiring.

build/adapters/cursor-isolation.jsView on unpkg · L13
13Trigger-reachable chain: manifest.main -> build/index.js -> build/adapters/cursor-isolation.js L13: exports.prepareIsolation = prepareIsolation; L14: const node_child_process_1 = require("node:child_process"); L15: const node_fs_1 = require("node:fs"); ... L38: try { L39: const p = (0, node_child_process_1.execFileSync)('/usr/bin/env', ['node', '-e', 'process.stdout.write(process.execPath)'], { encoding: 'utf8' }).trim(); L40: if (p && (0, node_fs_1.existsSync)(p)) ... L49: for (let i = 0; i < 24; i++) { L50: const pj = (0, node_path_1.join)(d, 'package.json'); L51: if ((0, node_fs_1.existsSync)(pj)) { L52: try { L53: if ((_a = JSON.parse((0, node_fs_1.readFileSync)(pj, 'utf8'))) === null || _a === void 0 ? void 0 : _a.name) L54: return d;
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

build/adapters/cursor-isolation.jsView on unpkg · L13
matchType = previous_version_dangerous_delta matchedPackage = ai.libx.js@0.18.4 matchedIdentity = npm:YWkubGlieC5qcw:0.18.4 similarity = 0.981 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

build/adapters/cursor-isolation.jsView on unpkg
13exports.prepareIsolation = prepareIsolation; L14: const node_child_process_1 = require("node:child_process"); L15: const node_fs_1 = require("node:fs");
High
Child Process

Package source references child process execution.

build/adapters/cursor-isolation.jsView on unpkg · L13

Findings

3 Critical2 High3 Medium4 Low
CriticalReverse Shellbuild/adapters/cursor-isolation.js
CriticalTrigger Reachable Dangerous Capabilitybuild/adapters/cursor-isolation.js
CriticalPrevious Version Dangerous Deltabuild/adapters/cursor-isolation.js
HighChild Processbuild/adapters/cursor-isolation.js
HighShell
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings