registry  /  cgraphx  /  1.2.0

cgraphx@1.2.0

Supercharge AI coding agents with semantic code intelligence — surgical context, fewer tool calls, faster answers. 100% local.

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 18 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 221 file(s), 2.99 MB of source, external domains: ai.getcodegraph.com, antigravity.google, api.github.com, app.getcodegraph.com, docs.claude.com, docs.cursor.com, geminicli.com, github.com, hermes-agent.nousresearch.com, kiro.dev, opencode.ai, raw.githubusercontent.com, registry.npmjs.org, telemetry.getcodegraph.com

Source & flagged code

9 flagged · loading source
dist/dbquery/init.jsView file
63patternName = generic_password severity = medium line = 63 matchedText = password...ME',
Medium
Secret Pattern

Package contains a possible secret pattern.

dist/dbquery/init.jsView on unpkg · L63
72patternName = generic_password severity = medium line = 72 matchedText = password...ME',
Medium
Secret Pattern

Hardcoded password in dist/dbquery/init.js

dist/dbquery/init.jsView on unpkg · L72
dist/upgrade/index.jsView file
78const https = __importStar(require("https")); L79: const child_process_1 = require("child_process"); L80: exports.REPO = 'smdnkB/cgraphx';
High
Child Process

Package source references child process execution.

dist/upgrade/index.jsView on unpkg · L78
dist/bin/codegraph.jsView file
92// eslint-disable-next-line @typescript-eslint/no-implied-eval L93: const importESM = new Function('specifier', 'return import(specifier)'); L94: // Block cgraphx on Node.js 25.x — V8's turboshaft WASM JIT has a Zone
High
Eval

Package source references dynamic code evaluation.

dist/bin/codegraph.jsView on unpkg · L92
dist/dbquery/drivers/mysql.jsView file
15exports.createMysqlConnection = createMysqlConnection; L16: const constants_1 = require("../constants"); L17: const errors_1 = require("../errors");
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/dbquery/drivers/mysql.jsView on unpkg · L15
dist/reasoning/login.jsView file
17*/ L18: const child_process_1 = require("child_process"); L19: const DEFAULT_BASE = 'https://app.getcodegraph.com'; L20: /** Dashboard base for the device-login endpoints; override for testing via CGRAPHX_LOGIN_URL. */ L21: function loginBaseUrl() { L22: const raw = process.env.CGRAPHX_LOGIN_URL?.trim() || DEFAULT_BASE; L23: return raw.replace(/\/+$/, '');
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/reasoning/login.jsView on unpkg · L17
dist/installer/index.jsView file
137// "permission denied" message. L138: const result = (0, child_process_1.execSync)(`npm install -g ${upgrade_1.NPM_PACKAGE}`, { L139: stdio: ['pipe', 'pipe', 'pipe'],
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/installer/index.jsView on unpkg · L137
dist/extraction/wasm/tree-sitter-scala.wasmView file
path = dist/extraction/wasm/tree-sitter-scala.wasm kind = wasm_module sizeBytes = 4958320 magicHex = [redacted]
Medium
Ships Wasm Module

Package ships WebAssembly modules.

dist/extraction/wasm/tree-sitter-scala.wasmView on unpkg
scripts/build-bundle.shView file
path = scripts/build-bundle.sh kind = build_helper sizeBytes = 4785 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

scripts/build-bundle.shView on unpkg

Findings

5 High8 Medium5 Low
HighChild Processdist/upgrade/index.js
HighShell
HighEvaldist/bin/codegraph.js
HighSame File Env Network Executiondist/reasoning/login.js
HighRuntime Package Installdist/installer/index.js
MediumSecret Patterndist/dbquery/init.js
MediumDynamic Requiredist/dbquery/drivers/mysql.js
MediumNetwork
MediumEnvironment Vars
MediumShips Wasm Moduledist/extraction/wasm/tree-sitter-scala.wasm
MediumShips Build Helperscripts/build-bundle.sh
MediumStructural Risk Force Deep Review
MediumSecret Patterndist/dbquery/init.js
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings