registry  /  fraim  /  2.0.184

fraim@2.0.184

⚠ Under review

FRAIM CLI - Framework for Rigor-based AI Management (alias for fraim-framework)

Static Scan Results

scanned 3d ago · by rust-scanner

Static analysis flagged 17 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 184 file(s), 2.28 MB of source, external domains: 127.0.0.1, accounts.google.com, ai.google.dev, antigravity.google, api.anthropic.com, api.dicebear.com, api.github.com, api.githubcopilot.com, api.stripe.com, app.seekout.com, astral.sh, cdn.jsdelivr.net, checkout.stripe.com, claude.ai, code.visualstudio.com, cursor.com, design.claude.ai, dev.azure.com, docs.astral.sh, docs.github.com, docs.gitlab.com, docs.microsoft.com, fonts.googleapis.com, fonts.gstatic.com, fraim.wellnessatwork.me, fraimworks.ai, github.com, gitlab.com, hooks.stripe.com, id.atlassian.com, js.stripe.com, kiro.dev, oauth2.googleapis.com, openai.com, support.atlassian.com, support.claude.com, windsurf.com, www.anthropic.com, www.claude.ai, www.fraimworks.ai, www.indeed.com, www.linkedin.com, x.ai

Source & flagged code

9 flagged · loading source
package.jsonView file
scripts.postinstall = node ./bin/fraim.js sync --skip-updates || echo 'FRAIM setup skipped.'
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node ./bin/fraim.js sync --skip-updates || echo 'FRAIM setup skipped.'
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
dist/src/core/utils/git-utils.jsView file
9exports.sanitizeRepoIdentifier = sanitizeRepoIdentifier; L10: const child_process_1 = require("child_process"); L11: function extractLocalFolderLabel(rawPath) {
High
Child Process

Package source references child process execution.

dist/src/core/utils/git-utils.jsView on unpkg · L9
bin/fraim.jsView file
10// In production/installed package, code is in dist/ L11: require('../dist/src/cli/fraim.js'); L12: } catch (error) {
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/fraim.jsView on unpkg · L10
dist/src/ai-hub/word-sideload.jsView file
21const os_1 = __importDefault(require("os")); L22: const child_process_1 = require("child_process"); L23: const MANIFEST_GUID = 'd1090951-50cf-4cf2-9d12-b0f8541d265c'; ... L26: path_1.default.resolve(projectPath, 'extensions/office-word/manifest.xml'), L27: path_1.default.resolve(__dirname, '..', '..', 'extensions/office-word/manifest.xml'), L28: path_1.default.resolve(__dirname, '..', '..', '..', 'extensions/office-word/manifest.xml'), ... L32: function isSideloaded() { L33: if (process.platform === 'win32') { L34: const result = (0, child_process_1.spawnSync)('reg', [ ... L38: ], { encoding: 'utf8' }); L39: return result.status === 0 && result.stdout.includes(MANIFEST_GUID); L40: }
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/src/ai-hub/word-sideload.jsView on unpkg · L21
dist/src/cli/doctor/checks/mcp-connectivity-checks.jsView file
53const child_process_1 = require("child_process"); L54: const axios_1 = __importDefault(require("axios")); L55: const toml = __importStar(require("toml")); ... L68: try { L69: const command = process.platform === 'win32' ? (process.env.ComSpec || 'cmd.exe') : 'npm'; L70: const args = process.platform === 'win32' ? ['/d', '/s', '/c', 'npm --version'] : ['--version'];
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/src/cli/doctor/checks/mcp-connectivity-checks.jsView on unpkg · L53
dist/src/cli/commands/override.jsView file
10const chalk_1 = __importDefault(require("chalk")); L11: const axios_1 = __importDefault(require("axios")); L12: const git_utils_1 = require("../../core/utils/git-utils"); ... L20: .action(async (registryPath, options) => { L21: const projectRoot = process.cwd(); L22: const configPath = (0, project_fraim_paths_1.getWorkspaceConfigPath)(projectRoot); ... L61: if (fs_1.default.existsSync(configPath)) { L62: config = JSON.parse(fs_1.default.readFileSync(configPath, 'utf-8')); L63: } ... L65: if (isLocal) { L66: const localPort = process.env.FRAIM_MCP_PORT ? parseInt(process.env.FRAIM_MCP_PORT) : (0, git_utils_1.getPort)(); L67: serverUrl = `http://localhost:${localPort}`;
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/src/cli/commands/override.jsView on unpkg · L10
dist/src/cli/setup/user-level-sync.jsView file
95try { L96: (0, child_process_1.execSync)('npm install --no-audit --no-fund --no-save --no-package-lock --omit=dev', { L97: cwd: baseDir,
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/src/cli/setup/user-level-sync.jsView on unpkg · L95
dist/src/cli/distribution/marketplace-bundles.jsView file
matchType = previous_version_dangerous_delta matchedPackage = fraim@2.0.183 matchedIdentity = npm:ZnJhaW0:2.0.183 similarity = 0.958 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version.

dist/src/cli/distribution/marketplace-bundles.jsView on unpkg

Findings

1 Critical5 High6 Medium5 Low
CriticalPrevious Version Dangerous Deltadist/src/cli/distribution/marketplace-bundles.js
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processdist/src/core/utils/git-utils.js
HighSame File Env Network Executiondist/src/cli/doctor/checks/mcp-connectivity-checks.js
HighSandbox Evasion Gated Capabilitydist/src/cli/commands/override.js
HighRuntime Package Installdist/src/cli/setup/user-level-sync.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requirebin/fraim.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/src/ai-hub/word-sideload.js
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings