registry  /  llama.cpp-ts  /  2.0.1

llama.cpp-ts@2.0.1

Local multimodal (vision) inference for Node.js: one-off image, video, and text prompts over llama.cpp. No server, no API costs.

Static Scan Results

scanned 4h ago · by rust-scanner

Static analysis flagged 10 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNativeBindings
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 13.8 KB of source, external domains: github.com

Source & flagged code

3 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/install.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/install.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
scripts/install.jsView file
11Manifest entrypoint (scripts.postinstall) carries capability families absent from dist/build output: environment+network, execution+network L11: L12: const { spawnSync } = require('node:child_process'); L13: const { existsSync, rmSync } = require('node:fs'); ... L15: L16: const LLAME_WORKER_REPO = 'https://github.com/developer239/llame-worker.git'; L17: const LLAME_WORKER_REF = '[redacted]'; L18: L19: const rootDir = path.join(__dirname, '..'); L20: const vendorDir = path.join(rootDir, 'cpp', 'externals', 'llame-worker'); ... L49: L50: if (process.env.LLAMEWORKER_SKIP_BUILD === '1') { L51: console.log('[llama.cpp-ts] LLAMEWORKER_SKIP_BUILD=1 - skipping build.');
High
Entrypoint Build Divergence

Manifest entrypoint contains risky behavior absent from dist/build output.

scripts/install.jsView on unpkg · L11

Findings

2 High3 Medium5 Low
HighInstall Time Lifecycle Scriptspackage.json
HighEntrypoint Build Divergencescripts/install.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings