registry  /  clay-generator  /  0.3.3

clay-generator@0.3.3

a model and convention based source code generator

Static Scan Results

scanned 1d ago · by rust-scanner

Static analysis flagged 13 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 74 file(s), 375 KB of source, external domains: morkeleb.github.io, raw.githubusercontent.com

Source & flagged code

5 flagged · loading source
dist/src/conventions.jsView file
63try { L64: const fn = eval(convention.function); L65: const result = fn(model);
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/src/conventions.jsView on unpkg · L63
dist/index.jsView file
7process.isCLI = require.main === module; L8: const command_line_1 = __importDefault(require("./src/command-line")); L9: command_line_1.default.parse(process.argv);
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/index.jsView on unpkg · L7
dist/src/pipeline/engines.jsView file
14package = clay-generator; repositoryIdentity = clay; dependency = ejs L14: try { L15: ejs = require('ejs'); L16: }
High
Copied Package Dependency Bridge

Package metadata claims a different repository identity while copied source loads a runtime dependency bridge.

dist/src/pipeline/engines.jsView on unpkg · L14
package.jsonView file
dependencies changed=handlebars-group-by
Critical
Manifest Confusion

Tarball package.json differs from the npm registry version manifest for scripts or dependency sets.

package.jsonView on unpkg
Runtime dependency names matching Node built-ins: crypto
High
Node Builtin Dependency Squat

Package declares a runtime dependency whose name matches a Node built-in module.

package.jsonView on unpkg

Findings

1 Critical2 High4 Medium6 Low
CriticalManifest Confusionpackage.json
HighCopied Package Dependency Bridgedist/src/pipeline/engines.js
HighNode Builtin Dependency Squatpackage.json
MediumDynamic Requiredist/index.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvaldist/src/conventions.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings