registry  /  githolon  /  0.55.1

githolon@0.55.1

githolon — the Nomos developer CLI: Rails-style generators for @githolon/dsl domains + the package compiler. Kernel-independent.

Static Scan Results

scanned 3h ago · by rust-scanner

Static analysis flagged 15 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 1 file(s), 263 KB of source, external domains: 127.0.0.1, kjbcjkihxskuwwfdqklt.supabase.co, nomos.captainapp.co.uk

Source & flagged code

5 flagged · loading source
dist/cli.mjsView file
1191patternName = supabase_service_key severity = critical line = 1191 matchedText = DEFAULT_...SI";
Critical
Critical Secret

Package contains a critical-looking secret pattern.

dist/cli.mjsView on unpkg · L1191
1191patternName = supabase_service_key severity = critical line = 1191 matchedText = DEFAULT_...SI";
Critical
Secret Pattern

Supabase service role key (JWT) in dist/cli.mjs

dist/cli.mjsView on unpkg · L1191
1279// src/compile.ts L1280: import { spawn, spawnSync } from "node:child_process"; L1281: import { createRequire } from "node:module";
High
Child Process

Package source references child process execution.

dist/cli.mjsView on unpkg · L1279
4054init_scene_projector(); L4055: out11 = (s) => void process.stdout.write(s + "\n"); L4056: err11 = (s) => void process.stderr.write("error: " + s + "\n"); ... L4062: import { existsSync as existsSync13, readdirSync as readdirSync4, readFileSync as readFileSync13 } from "node:fs"; L4063: import { spawnSync as spawnSync5 } from "node:child_process"; L4064: import { createRequire as createRequire2 } from "node:module"; L4065: import { dirname as dirname7, join as join14, resolve as resolve4 } from "node:path"; L4066: import { pathToFileURL as pathToFileURL4 } from "node:url";
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/cli.mjsView on unpkg · L4054
28async function clientConnect() { L29: const mod = await import("@githolon/client"); L30: return mod.connect;
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/cli.mjsView on unpkg · L28

Findings

2 Critical3 High4 Medium6 Low
CriticalCritical Secretdist/cli.mjs
CriticalSecret Patterndist/cli.mjs
HighChild Processdist/cli.mjs
HighShell
HighCommand Output Exfiltrationdist/cli.mjs
MediumDynamic Requiredist/cli.mjs
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License