registry  /  devglide  /  0.2.37

devglide@0.2.37

AI workflow toolkit with MCP servers for kanban, shell, testing, workflows, and more — built for Claude Code

Static Scan Results

scanned 1h ago · by rust-scanner

Static analysis flagged 17 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 226 file(s), 9.60 MB of source, external domains: 127.0.0.1, 93.184.216.34, api.groq.com, api.openai.com, cdn.jsdelivr.net, developer.mozilla.org, example.com, feross.org, gist.github.com, git.new, github.com, jimmy.warting.se, json-schema.org, mathiasbynens.be, raw.githubusercontent.com, spec.openapis.org, stackoverflow.com, tools.ietf.org, www.rfc-editor.org, www.w3.org, www.youtube.com
Oversized source lightweight scan
dist/mcp/kanban.mjs2.27 MB file, sampled 256 KB
FilesystemChildProcessEnvironmentVarsEvalCryptoHighEntropyStringsUrlStringsexample.comraw.githubusercontent.com
dist/mcp/voice.mjs2.20 MB file, sampled 256 KB
FilesystemNetworkChildProcessEnvironmentVarsEvalCryptoShellHighEntropyStringsUrlStringsapi.groq.comexample.comfeross.orggithub.comjimmy.warting.seraw.githubusercontent.com

Source & flagged code

9 flagged · loading source
bin/devglide.jsView file
2L3: import { spawn, execSync, spawnSync } from "child_process"; L4: import { resolve, dirname } from "path";
High
Child Process

Package source references child process execution.

bin/devglide.jsView on unpkg · L2
90const ps = spawn( L91: "powershell", L92: ["-NoProfile", "-Command", `Get-Content -Path '${logFile}' -Tail 50 -Wait`],
High
Shell

Package source references shell execution.

bin/devglide.jsView on unpkg · L90
271} else { L272: const child = spawn(process.execPath, [entry, "--stdio"], { L273: cwd, L274: stdio: "inherit", L275: env: process.env, L276: }); ... L285: try { L286: const res = await fetch(`http://127.0.0.1:${SERVER_PORT}/api/health`, { L287: signal: AbortSignal.timeout(1500),
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

bin/devglide.jsView on unpkg · L271
dist/mcp/log.mjsView file
7789site.name = fn.name; L7790: var deprecatedfn = new Function( L7791: "fn",
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/mcp/log.mjsView on unpkg · L7789
src/packages/eslint-config/index.jsView file
1const tsPlugin = require("@typescript-eslint/eslint-plugin"); L2: const tsParser = require("@typescript-eslint/parser");
Medium
Dynamic Require

Package source references dynamic require/import behavior.

src/packages/eslint-config/index.jsView on unpkg · L1
src/apps/log/src/services/file-tailer.tsView file
31export class FileTailer { L32: private watcher: FSWatcher | null = null; L33: private offsets = new Map<string, number>(); ... L186: L187: const chunk = buffer.toString("utf-8", 0, bytesRead); L188: const partial = this.partials.get(filePath) || "";
Low
Weak Crypto

Package source references weak cryptographic algorithms.

src/apps/log/src/services/file-tailer.tsView on unpkg · L31
src/packages/ssrf-guard.tsView file
5* 1. Checking the URL string for blocked protocols and known-bad hostnames L6: * 2. Resolving the hostname via DNS and rejecting private/internal IPs L7: * L8: * Also provides `safeFetch()` which additionally handles redirects safely L9: * by re-validating each Location header before following it. ... L11: L12: import dns from 'node:dns'; L13: import net from 'node:net'; ... L178: req.on('error', reject); L179: if (options.body && typeof options.body === 'string') req.write(options.body); L180: req.end();
High
Cloud Metadata Access

Source reaches cloud instance metadata or link-local credential endpoints.

src/packages/ssrf-guard.tsView on unpkg · L5
dist/mcp/voice.mjsView file
path = dist/mcp/voice.mjs kind = oversized_source_file sizeBytes = 2302335 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/mcp/voice.mjsView on unpkg
path = dist/mcp/voice.mjs kind = oversized_cli_entrypoint sizeBytes = 2302335 magicHex = [redacted]
Medium
Oversized Cli Entrypoint

Package contains an oversized executable-looking CLI entrypoint.

dist/mcp/voice.mjsView on unpkg

Findings

5 High5 Medium7 Low
HighChild Processbin/devglide.js
HighShellbin/devglide.js
HighSame File Env Network Executionbin/devglide.js
HighCloud Metadata Accesssrc/packages/ssrf-guard.ts
HighOversized Source Filedist/mcp/voice.mjs
MediumDynamic Requiresrc/packages/eslint-config/index.js
MediumNetwork
MediumEnvironment Vars
MediumOversized Cli Entrypointdist/mcp/voice.mjs
MediumStructural Risk Force Deep Review
LowScripts Present
LowEvaldist/mcp/log.mjs
LowWeak Cryptosrc/apps/log/src/services/file-tailer.ts
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings