registry  /  create-claritty-app  /  0.7.0

create-claritty-app@0.7.0

Scaffold, test, and deploy Claritty agentic apps. Includes the `claritty` CLI (login/test/deploy).

Static Scan Results

scanned 2d ago · by rust-scanner

Static analysis flagged 10 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 102 KB of source, external domains: api.claritty.ai, app.claritty.ai, github.com

Source & flagged code

2 flagged · loading source
dist/index.jsView file
70*/ L71: const node_child_process_1 = require("node:child_process"); L72: const fs = __importStar(require("node:fs")); ... L77: /** Public seed repository. Cloned credential-free over HTTPS. */ L78: const DEFAULT_SEED_REPO = 'https://github.com/Clarittyai/agentic-app-seed.git'; L79: /** ... L118: // --- Tiny ANSI helpers (no deps) --------------------------------------------- L119: const supportsColor = process.stdout.isTTY && process.env.NO_COLOR === undefined; L120: const paint = (code, s) => (supportsColor ? `\x1b[${code}m${s}\x1b[0m` : s); ... L167: const SPIN_FRAMES = ['⠋', '⠙', '⠹', '⠸', '⠼', '⠴', '⠦', '⠧', '⠇', '⠏']; L168: const spinTTY = !!process.stdout.isTTY && process.env.NO_COLOR === undefined && process.env.CI === undefined; L169: let activeSpinner = null;
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/index.jsView on unpkg · L70
matchType = previous_version_dangerous_delta matchedPackage = create-claritty-app@0.6.6 matchedIdentity = npm:Y3JlYXRlLWNsYXJpdHR5LWFwcA:0.6.6 similarity = 0.500 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/index.jsView on unpkg

Findings

2 High3 Medium5 Low
HighSandbox Evasion Gated Capabilitydist/index.js
HighPrevious Version Dangerous Deltadist/index.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings