registry  /  githolon  /  0.44.0

githolon@0.44.0

githolon — the Nomos developer CLI: Rails-style generators for @githolon/dsl domains + the package compiler. Kernel-independent.

Static Scan Results

scanned 2d ago · by rust-scanner

Static analysis flagged 12 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 1 file(s), 234 KB of source, external domains: 127.0.0.1, kjbcjkihxskuwwfdqklt.supabase.co, nomos.captainapp.co.uk

Source & flagged code

3 flagged · loading source
dist/cli.mjsView file
1156patternName = supabase_service_key severity = critical line = 1156 matchedText = DEFAULT_...SI";
Critical
Critical Secret

Package contains a critical-looking secret pattern.

dist/cli.mjsView on unpkg · L1156
1156patternName = supabase_service_key severity = critical line = 1156 matchedText = DEFAULT_...SI";
Critical
Secret Pattern

Supabase service role key (JWT) in dist/cli.mjs

dist/cli.mjsView on unpkg · L1156
28async function clientConnect() { L29: const mod = await import("@githolon/client"); L30: return mod.connect;
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/cli.mjsView on unpkg · L28

Findings

2 Critical4 Medium6 Low
CriticalCritical Secretdist/cli.mjs
CriticalSecret Patterndist/cli.mjs
MediumDynamic Requiredist/cli.mjs
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License