registry  /  igris-ai  /  7.0.1

igris-ai@7.0.1

Igris AI unified CLI — init, refresh, install, update, sync, doctor, register-project for Igris projects.

Static Scan Results

scanned 2d ago · by rust-scanner

Static analysis flagged 13 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 224 file(s), 2.75 MB of source, external domains: api.github.com, brain.example.com, github.com

Source & flagged code

5 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.mjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.mjs
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
dist/lib/skills-delegate.jsView file
37*/ L38: import { spawnSync } from "node:child_process"; L39: import { existsSync } from "node:fs";
High
Child Process

Package source references child process execution.

dist/lib/skills-delegate.jsView on unpkg · L37
dist/lib/github-source.jsView file
521* True if a binary is on PATH. M1: pass `bin` as an argv element to `command` L522: * via `bash -c 'command -v "$1"' _ <bin>` rather than interpolating it into the L523: * shell string — defense-in-depth even though every caller passes a hardcoded
High
Shell

Package source references shell execution.

dist/lib/github-source.jsView on unpkg · L521
dist/lib/self-update.jsView file
3* L4: * Invokes `npm install -g igris-ai@latest` via `child_process.execFile`, with L5: * stdio inherited so the user sees npm's progress live. Returns the npm exit
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/lib/self-update.jsView on unpkg · L3

Findings

4 High4 Medium5 Low
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processdist/lib/skills-delegate.js
HighShelldist/lib/github-source.js
HighRuntime Package Installdist/lib/self-update.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings