registry  /  ghost-architect-open  /  9.4.28

ghost-architect-open@9.4.28

⚠ Under review

AI-powered codebase archaeology: understand what you inherited

Static Scan Results

scanned 4d ago · by rust-scanner

Static analysis flagged 16 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 112 file(s), 1.79 MB of source, external domains: api.anthropic.com, ghostarchitect.dev, github.com, license.ghostarchitect.dev, signup.ghostarchitect.dev, timeapi.io, worldtimeapi.org

Source & flagged code

8 flagged · loading source
src/redactor.jsView file
67patternName = private_key_rsa severity = critical line = 67 matchedText = { begin:...' },
Critical
Critical Secret

Package contains a critical-looking secret pattern.

src/redactor.jsView on unpkg · L67
67patternName = private_key_rsa severity = critical line = 67 matchedText = { begin:...' },
Critical
Secret Pattern

RSA private key in src/redactor.js

src/redactor.jsView on unpkg · L67
68patternName = private_key_ec severity = critical line = 68 matchedText = { begin:...' },
Critical
Secret Pattern

EC private key in src/redactor.js

src/redactor.jsView on unpkg · L68
70patternName = private_key_rsa severity = critical line = 70 matchedText = { begin:...' },
Critical
Secret Pattern

RSA private key in src/redactor.js

src/redactor.jsView on unpkg · L70
72patternName = private_key_openssh severity = critical line = 72 matchedText = { begin:...' },
Critical
Secret Pattern

OpenSSH private key in src/redactor.js

src/redactor.jsView on unpkg · L72
src/prompt-pack/tokenizer.jsView file
79try { L80: const mod = await import(encodingPath); L81: const encoder = { encode: mod.encode };
Medium
Dynamic Require

Package source references dynamic require/import behavior.

src/prompt-pack/tokenizer.jsView on unpkg · L79
src/modes/audit/index.jsView file
25// v0.2.0 (current): stackReality + keyPersonRisk are real; the other two L26: // remain stubbed pending Day 3. Output to stdout shows real findings L27: // when available; PDF generation comes in Day 4. ... L32: import inquirer from 'inquirer'; L33: import { spawn } from 'child_process'; L34: import { runStackRealityCheck } from './stackReality.js'; ... L45: L46: const IS_WINDOWS = process.platform === 'win32'; L47: const SYM = { check: IS_WINDOWS ? '[OK]' : '✓', warn: IS_WINDOWS ? '[!]' : '⚠' }; ... L85: chalk.gray( ' audit history') + '\n\n' + L86: chalk.cyan('Upgrade at: ') + chalk.cyan.underline('https://ghostarchitect.dev/pricing'), L87: { padding: 1, borderColor: 'cyan', borderStyle: 'round' }
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

src/modes/audit/index.jsView on unpkg · L25
src/modes/watcher-commit.jsView file
matchType = previous_version_dangerous_delta matchedPackage = ghost-architect-open@9.4.14 matchedIdentity = npm:Z2hvc3QtYXJjaGl0ZWN0LW9wZW4:9.4.14 similarity = 0.865 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version.

src/modes/watcher-commit.jsView on unpkg

Findings

6 Critical1 High4 Medium5 Low
CriticalCritical Secretsrc/redactor.js
CriticalPrevious Version Dangerous Deltasrc/modes/watcher-commit.js
CriticalSecret Patternsrc/redactor.js
CriticalSecret Patternsrc/redactor.js
CriticalSecret Patternsrc/redactor.js
CriticalSecret Patternsrc/redactor.js
HighSandbox Evasion Gated Capabilitysrc/modes/audit/index.js
MediumDynamic Requiresrc/prompt-pack/tokenizer.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License