registry  /  gencow  /  0.1.162

gencow@0.1.162

Gencow — AI Backend Engine

Static Scan Results

scanned 4d ago · by rust-scanner

Static analysis flagged 16 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedUrlStrings
Manifest
NoLicense
scanned 96 file(s), 2.38 MB of source, external domains: docs.gencow.com, example.com, foo.bar, gencow.app, json-schema.org, kapi.kakao.com, kauth.kakao.com, myapp.com, myapp.vercel.app, nid.naver.com, nodejs.org, openapi.naver.com, platform.openai.com, react.dev, www.postgresql.org, www.w3.org, yarnpkg.com
Oversized source lightweight scan
server/index.js4.02 MB file, sampled 256 KB
FilesystemNetworkChildProcessEnvironmentVarsEvalCryptoDynamicRequireHighEntropyStringsUrlStringsexample.comfoo.barkapi.kakao.comkauth.kakao.comnid.naver.comnodejs.orgopenapi.naver.comyarnpkg.com

Source & flagged code

6 flagged · loading source
bin/gencow.mjsView file
18L19: import { execSync, spawn } from "child_process"; L20: import { existsSync, readFileSync, writeFileSync, unlinkSync, cpSync, symlinkSync, copyFileSync } from "fs";
High
Child Process

Package source references child process execution.

bin/gencow.mjsView on unpkg · L18
475stdio: "inherit", L476: shell: true, L477: });
High
Shell

Package source references shell execution.

bin/gencow.mjsView on unpkg · L475
lib/cli-project-runtime.mjsView file
138const url = `${href}?t=${encodeURIComponent(String(mtimeMs))}`; L139: const mod = await import(url); L140: return mod && typeof mod === "object" && "default" in mod ? mod.default : mod;
Medium
Dynamic Require

Package source references dynamic require/import behavior.

lib/cli-project-runtime.mjsView on unpkg · L138
lib/readme-codegen.mjsView file
280md += `- Production backend deploy: npx gencow deploy --prod (Pro+ only)\n`; L281: md += `- Fullstack static deploy: VITE_API_URL=https://{appId}.{domain} npm run build, then npx gencow deploy --static dist/\n`; L282: md += `- If a backend is present, Gencow deploys the backend before frontend assets.\n`; L283: md += `- Set cloud env vars with npx gencow env set KEY=VALUE.\n`; L284: md += `- Read process.env inside handlers so hot-reloaded env values are current.\n\n`; L285: md += `Data modeling rules:\n`; ... L292: md += `- npm-installed third-party packages are installed during deploy.\n`; L293: md += `- child_process, vm, os, cluster, and worker_threads are blocked in deployed tenant apps.\n`; L294: md += `- Prefer SHA-256 with node:crypto or Web Crypto API instead of custom 32-bit hashes.\n`;
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

lib/readme-codegen.mjsView on unpkg · L280
lib/platform-client.mjsView file
6L7: const CREDS_PATH = resolve(homedir(), ".gencow", "credentials.json"); L8: ... L10: try { L11: return JSON.parse(readFileSync(CREDS_PATH, "utf8")); L12: } catch { ... L25: L26: export function resolveCredsFromSources({ env = process.env, loadCredsImpl = loadCreds } = {}) { L27: const envToken = env.GENCOW_TOKEN || env.GENCOW_DEPLOY_TOKEN; L28: if (envToken) { L29: const platformUrl = env.GENCOW_PLATFORM_URL || "https://gencow.app"; L30: return { apiKey: envToken, platformUrl: validatePlatformUrl(platformUrl) };
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

lib/platform-client.mjsView on unpkg · L6
server/index.jsView file
path = server/index.js kind = oversized_source_file sizeBytes = 4214662 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

server/index.jsView on unpkg

Findings

5 High4 Medium7 Low
HighChild Processbin/gencow.mjs
HighShellbin/gencow.mjs
HighSame File Env Network Executionlib/readme-codegen.mjs
HighSandbox Evasion Gated Capabilitylib/platform-client.mjs
HighOversized Source Fileserver/index.js
MediumDynamic Requirelib/cli-project-runtime.mjs
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEval
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License