registry  /  githolon  /  0.65.1

githolon@0.65.1

githolon — the Nomos developer CLI: Rails-style generators for @githolon/dsl domains + the package compiler. Kernel-independent.

Static Scan Results

scanned 3h ago · by rust-scanner

Static analysis flagged 15 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 1 file(s), 364 KB of source, external domains: 127.0.0.1, kjbcjkihxskuwwfdqklt.supabase.co, nomos.captainapp.co.uk

Source & flagged code

5 flagged · loading source
dist/cli.mjsView file
4023patternName = supabase_service_key severity = critical line = 4023 matchedText = DEFAULT_...SI";
Critical
Critical Secret

Package contains a critical-looking secret pattern.

dist/cli.mjsView on unpkg · L4023
4023patternName = supabase_service_key severity = critical line = 4023 matchedText = DEFAULT_...SI";
Critical
Secret Pattern

Supabase service role key (JWT) in dist/cli.mjs

dist/cli.mjsView on unpkg · L4023
3048try { L3049: const { execFileSync } = await import("node:child_process"); L3050: seed = execFileSync("gcloud", ["secrets", "versions", "access", "latest", "--secret", opts.gcpSecret], { encoding: "utf8" }).trim();
High
Child Process

Package source references child process execution.

dist/cli.mjsView on unpkg · L3048
6244init_scene_projector(); L6245: out11 = (s) => void process.stdout.write(s + "\n"); L6246: err11 = (s) => void process.stderr.write("error: " + s + "\n"); ... L6252: import { existsSync as existsSync13, readdirSync as readdirSync4, readFileSync as readFileSync13 } from "node:fs"; L6253: import { spawnSync as spawnSync5 } from "node:child_process"; L6254: import { createRequire as createRequire2 } from "node:module"; L6255: import { dirname as dirname7, join as join14, resolve as resolve4 } from "node:path"; L6256: import { pathToFileURL as pathToFileURL4 } from "node:url";
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/cli.mjsView on unpkg · L6244
2727async function clientConnect() { L2728: const mod = await import("@githolon/client"); L2729: return mod.connect;
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/cli.mjsView on unpkg · L2727

Findings

2 Critical3 High4 Medium6 Low
CriticalCritical Secretdist/cli.mjs
CriticalSecret Patterndist/cli.mjs
HighChild Processdist/cli.mjs
HighShell
HighCommand Output Exfiltrationdist/cli.mjs
MediumDynamic Requiredist/cli.mjs
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License