registry  /  gipity  /  1.1.1

gipity@1.1.1

The full-stack platform tuned for AI agents. Database, storage, auth, functions, deploy, and drop-in kits - all agent-tuned. Pair with Claude Code or use standalone.

Static Scan Results

scanned 3h ago · by rust-scanner

Static analysis flagged 15 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 123 file(s), 1.40 MB of source, external domains: a.gipity.ai, aider.chat, dev.gipity.ai, gipity.ai, github.com, grok.x.ai, media.gipity.ai, prompt.gipity.ai, registry.npmjs.org, schemas.microsoft.com, www.apple.com
Oversized source lightweight scan
dist/index.js2.07 MB file, sampled 256 KB
FilesystemNetworkChildProcessEnvironmentVarsCryptoHighEntropyStrings

Source & flagged code

7 flagged · loading source
dist/commands/page-eval.jsView file
157// eslint-disable-next-line no-new-func L158: new Function(`return (${s}\n);`); L159: return true;
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/commands/page-eval.jsView on unpkg · L157
dist/updater/shim.jsView file
2import { createRequire as __cliCreateRequire } from 'module'; L3: const require = __cliCreateRequire(import.meta.url); L4:
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/updater/shim.jsView on unpkg · L2
dist/commands/uninstall.jsView file
27function removeGipityPluginConfig() { L28: const settingsPath = join(homedir(), '.claude', 'settings.json'); L29: if (!existsSync(settingsPath)) ... L32: try { L33: settings = JSON.parse(readFileSync(settingsPath, 'utf-8')); L34: } ... L65: const touched = []; L66: for (const name of ['.bashrc', '.zshrc', '.profile']) { L67: const rc = join(homedir(), name); ... L147: if (err instanceof UnsupportedPlatformError) L148: return { ran: false, ok: true, note: `Unsupported platform (${process.platform}) - nothing to uninstall.` }; L149: return { ran: false, ok: false, note: String(err) };
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/commands/uninstall.jsView on unpkg · L27
dist/updater/check.jsView file
11import { homedir } from "os"; L12: var GIPITY_DIR = join(homedir(), ".gipity"); L13: var LOCAL_DIR = join(GIPITY_DIR, "local"); ... L33: try { L34: return { ...DEFAULT_STATE, ...JSON.parse(readFileSync(STATE_FILE, "utf-8")) }; L35: } catch { ... L51: function updatesDisabled() { L52: if (process.env["DISABLE_AUTOUPDATER"] === "1") return { disabled: true, reason: "DISABLE_AUTOUPDATER=1" }; L53: if (process.env["CI"]) return { disabled: true, reason: "CI environment" }; ... L58: // src/platform.ts L59: import { execSync, spawn, spawnSync } from "child_process"; L60: function resolveCommand(cmd) {
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/updater/check.jsView on unpkg · L11
dist/index.jsView file
path = dist/index.js kind = oversized_source_file sizeBytes = 2170613 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/index.jsView on unpkg
path = dist/index.js kind = oversized_cli_entrypoint sizeBytes = 2170613 magicHex = [redacted]
Medium
Oversized Cli Entrypoint

Package contains an oversized executable-looking CLI entrypoint.

dist/index.jsView on unpkg
dist/commands/build.jsView file
matchType = previous_version_dangerous_delta matchedPackage = gipity@1.0.429 matchedIdentity = npm:Z2lwaXR5:1.0.429 similarity = 0.832 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/commands/build.jsView on unpkg

Findings

3 High6 Medium6 Low
HighSandbox Evasion Gated Capabilitydist/updater/check.js
HighOversized Source Filedist/index.js
HighPrevious Version Dangerous Deltadist/commands/build.js
MediumDynamic Requiredist/updater/shim.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/commands/uninstall.js
MediumOversized Cli Entrypointdist/index.js
MediumStructural Risk Force Deep Review
LowScripts Present
LowEvaldist/commands/page-eval.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings