registry  /  facult  /  2.20.0

facult@2.20.0

Manage canonical AI capabilities, sync surfaces, and evolution state.

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 12 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedUrlStrings
Manifest
WildcardDependency
scanned 76 file(s), 1.30 MB of source, external domains: api.github.com, api.smithery.ai, github.com, glama.ai, hack.dance, raw.githubusercontent.com, skills.sh, wry-manatee-359.convex.site

Source & flagged code

3 flagged · loading source
bin/fclt.cjsView file
3L4: const fs = require("node:fs"); L5: const fsp = require("node:fs/promises");
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/fclt.cjsView on unpkg · L3
src/self-update.tsView file
98try { L99: const txt = await Bun.file(path).text(); L100: return JSON.parse(txt) as InstallState; ... L112: const envMethod = L113: context.envInstallMethod ?? process.env.FACULT_INSTALL_METHOD?.trim(); L114: if (envMethod === "script-dev" || envMethod === "script-bin") { ... L121: const exec = context.executablePath ?? process.execPath; L122: const home = context.homeDir ?? homedir(); L123: if ([redacted](exec)) { ... L203: stdin: "ignore", L204: stdout: "pipe", L205: stderr: "ignore",
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

src/self-update.tsView on unpkg · L98
plugins/fclt/scripts/fclt-runtime.cjsView file
matchType = previous_version_dangerous_delta matchedPackage = facult@2.19.1 matchedIdentity = npm:ZmFjdWx0:2.19.1 similarity = 0.932 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

plugins/fclt/scripts/fclt-runtime.cjsView on unpkg

Findings

2 High5 Medium5 Low
HighSandbox Evasion Gated Capabilitysrc/self-update.ts
HighPrevious Version Dangerous Deltaplugins/fclt/scripts/fclt-runtime.cjs
MediumDynamic Requirebin/fclt.cjs
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
MediumWildcard Dependency
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings