registry  /  carto-md  /  2.1.1

carto-md@2.1.1

Structural intelligence + episodic memory for AI coding tools. Indexes your codebase into SQLite — routes, models, import graph, blast radius, domains — and exposes ~75 MCP tools (validate_diff, get_change_plan, did_we_discuss_this, get_predictive_risk, …

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 12 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 141 file(s), 1.11 MB of source, external domains: aka.ms, api.anthropic.com, api.groq.com, api.openai.com, api.together.xyz, generativelanguage.googleapis.com, github.com, nodejs.org, openrouter.ai, registry.npmjs.org, www.npmjs.com

Source & flagged code

5 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
scripts/gen-api-docs.jsView file
27// eslint-disable-next-line no-new-func L28: return (new Function(`return ${arrayLiteral}`))(); L29: }
Low
Eval

Package source references a known benign dynamic code generation pattern.

scripts/gen-api-docs.jsView on unpkg · L27
index.jsView file
6* Usage: L7: * const { StoreAdapter } = require('carto-md'); L8: * const carto = new StoreAdapter();
Medium
Dynamic Require

Package source references dynamic require/import behavior.

index.jsView on unpkg · L6
src/rules/engine.jsView file
1'use strict'; L2:
Low
Weak Crypto

Package source references weak cryptographic algorithms.

src/rules/engine.jsView on unpkg · L1

Findings

1 High5 Medium6 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requireindex.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowEvalscripts/gen-api-docs.js
LowWeak Cryptosrc/rules/engine.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings