registry  /  gipity  /  1.0.426

gipity@1.0.426

⚠ Under review

The full-stack platform tuned for AI agents. Database, storage, auth, functions, deploy, and drop-in kits - all agent-tuned. Pair with Claude Code or use standalone.

Static Scan Results

scanned 4d ago · by rust-scanner

Static analysis flagged 16 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 112 file(s), 1.70 MB of source, external domains: a.gipity.ai, aider.chat, dev.gipity.ai, gipity.ai, media.gipity.ai, prompt.gipity.ai, registry.npmjs.org, schema.org, schemas.microsoft.com, www.apple.com

Source & flagged code

7 flagged · loading source
dist/claude-setup.jsView file
10*/ L11: import { execSync } from 'child_process'; L12: import { existsSync } from 'fs';
High
Child Process

Package source references child process execution.

dist/claude-setup.jsView on unpkg · L10
dist/index.jsView file
57* Constructs the CommanderError class L58: * @param {number} exitCode suggested exit code which could be used with process.exit L59: * @param {string} code an id string representing the error ... L1167: var EventEmitter = __require("node:events").EventEmitter; L1168: var childProcess = __require("node:child_process"); L1169: var path4 = __require("node:path"); ... L1217: this._outputConfiguration = { L1218: writeOut: (str) => process2.stdout.write(str), L1219: writeErr: (str) => process2.stderr.write(str), ... L1256: * @returns {Command[]} L1257: * @private L1258: */
Critical
Command Output Exfiltration

Source executes local commands and sends command output to an external endpoint.

dist/index.jsView on unpkg · L57
57Trigger-reachable chain: manifest.bin -> dist/gipcc.js -> dist/index.js L57: * Constructs the CommanderError class L58: * @param {number} exitCode suggested exit code which could be used with process.exit L59: * @param {string} code an id string representing the error ... L1167: var EventEmitter = __require("node:events").EventEmitter; L1168: var childProcess = __require("node:child_process"); L1169: var path4 = __require("node:path"); ... L1217: this._outputConfiguration = { L1218: writeOut: (str) => process2.stdout.write(str), L1219: writeErr: (str) => process2.stderr.write(str), ... L1256: * @returns {Command[]} L1257: * @private L1258: */
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/index.jsView on unpkg · L57
2007} L2008: const execArgv = process2.execArgv ?? []; L2009: if (execArgv.includes("-e") || execArgv.includes("--eval") || execArgv.includes("-p") || execArgv.includes("--print")) {
High
Shell

Package source references shell execution.

dist/index.jsView on unpkg · L2007
57* Constructs the CommanderError class L58: * @param {number} exitCode suggested exit code which could be used with process.exit L59: * @param {string} code an id string representing the error ... L1167: var EventEmitter = __require("node:events").EventEmitter; L1168: var childProcess = __require("node:child_process"); L1169: var path4 = __require("node:path"); ... L1217: this._outputConfiguration = { L1218: writeOut: (str) => process2.stdout.write(str), L1219: writeErr: (str) => process2.stderr.write(str), ... L1256: * @returns {Command[]} L1257: * @private L1258: */
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/index.jsView on unpkg · L57
dist/updater/shim.jsView file
5Cross-file remote execution chain: dist/updater/shim.js spawns dist/index.js; helper contains network access plus dynamic code execution. L5: // src/platform.ts L6: import { execSync, spawn, spawnSync } from "child_process"; L7: function resolveCommand(cmd) { L8: if (process.platform !== "win32") return cmd; L9: try { ... L19: function winBatchInvocation(cmd, args) { L20: const comspec = process.env.ComSpec || "cmd.exe"; L21: const quote = (t) => `"${String(t).replace(/"/g, '""')}"`; ... L48: import { homedir } from "os"; L49: var GIPITY_DIR = join(homedir(), ".gipity"); L50: var LOCAL_DIR = join(GIPITY_DIR, "local"); ... L67: try {
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/updater/shim.jsView on unpkg · L5
dist/updater/check.jsView file
matchType = previous_version_dangerous_delta matchedPackage = gipity@1.0.414 matchedIdentity = npm:Z2lwaXR5:1.0.414 similarity = 0.736 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/updater/check.jsView on unpkg

Findings

3 Critical3 High5 Medium5 Low
CriticalCommand Output Exfiltrationdist/index.js
CriticalTrigger Reachable Dangerous Capabilitydist/index.js
CriticalPrevious Version Dangerous Deltadist/updater/check.js
HighChild Processdist/claude-setup.js
HighShelldist/index.js
HighCross File Remote Execution Contextdist/updater/shim.js
MediumDynamic Require
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/index.js
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings