registry  /  codemore  /  0.2.7

codemore@0.2.7

The static analyzer your AI agent reads — finds production-blocking bugs in vibe-coded apps (CLI, GitHub Action, MCP server).

Static Scan Results

scanned 10h ago · by rust-scanner

Static analysis flagged 15 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 140 file(s), 1.62 MB of source, external domains: api.anthropic.com, api.openai.com, app.example.com, bandit.readthedocs.io, biomejs.dev, codemore.tech, docs.astral.sh, generativelanguage.googleapis.com, github.com, golangci-lint.run, osv.dev, raw.githubusercontent.com, reactjs.org, rust-lang.github.io, rustup.rs, staging.example.com, www.npmjs.com, www.w3.org
Oversized source lightweight scan
daemon/dist/index.js4.96 MB file, sampled 256 KB
EnvironmentVarsDynamicRequireHighEntropyStringsMinifiedUrlStringsgenerativelanguage.googleapis.com

Source & flagged code

7 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/download-binaries.js --skip-download
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/download-binaries.js --skip-download
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
lib/shared/packs/core-security/core-security-eval.jsView file
4* L5: * Detects `eval(...)` and `new Function(<string args>)` — the two dynamic L6: * code-execution sinks that show up in nearly every shipped XSS / RCE
Low
Eval

Package source references a known benign dynamic code generation pattern.

lib/shared/packs/core-security/core-security-eval.jsView on unpkg · L4
dist/extension.jsView file
1(()=>{"use strict";var t={520(t,e,s){var n=s(317),i=n.spawn,o=n.exec;function r(t,e,s){var n={};try{Object.keys(t).forEach(function(s){t[s].forEach(function(t){n[t]||(a(t,e),n[t]=1...
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/extension.jsView on unpkg · L1
lib/shared/packs/core-security/vibe-ssrf-fetch-user-input.jsView file
4* L5: * Detects Server-Side Request Forgery (SSRF) sinks: a `fetch(...)` / L6: * `axios.get(...)` / etc. whose URL argument is sourced from user ... L20: * - `axios.get` / `axios.post` / `axios.put` / `axios.delete` / `axios.patch` L21: * - `got(...)` / `got.get(...)` / `got.post(...)` L22: * - `request(...)` (the `request` npm package) ... L28: * req.body.* / req.query.* / req.params.* / req.headers.* L29: * request.body.* / request.json() result / request.formData() L30: * searchParams.get(...) / url.searchParams.get(...) ... L382: `An attacker can point the request at AWS / GCP metadata endpoints ` + L383: `(169.254.169.254), localhost services, or anywhere on your private network. ` + L384: `Add a host allowlist before issuing the request.`,
High
Cloud Metadata Access

Source reaches cloud instance metadata or link-local credential endpoints.

lib/shared/packs/core-security/vibe-ssrf-fetch-user-input.jsView on unpkg · L4
bin/darwin-x64/ruffView file
path = bin/darwin-x64/ruff kind = native_binary sizeBytes = 25600356 magicHex = [redacted]
Medium
Ships Native Binary

Package ships native binary artifacts.

bin/darwin-x64/ruffView on unpkg
daemon/dist/index.jsView file
path = daemon/dist/index.js kind = oversized_source_file sizeBytes = 5200531 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

daemon/dist/index.jsView on unpkg

Findings

3 High6 Medium6 Low
HighInstall Time Lifecycle Scriptspackage.json
HighCloud Metadata Accesslib/shared/packs/core-security/vibe-ssrf-fetch-user-input.js
HighOversized Source Filedaemon/dist/index.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requiredist/extension.js
MediumNetwork
MediumEnvironment Vars
MediumShips Native Binarybin/darwin-x64/ruff
MediumStructural Risk Force Deep Review
LowScripts Present
LowEvallib/shared/packs/core-security/core-security-eval.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings