registry  /  ltcai  /  8.3.0

ltcai@8.3.0

Lattice AI — local-first Digital Brain that keeps your knowledge durable across any AI model.

Static Scan Results

scanned 4d ago · by rust-scanner

Static analysis flagged 14 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 25 file(s), 1.37 MB of source, external domains: 127.0.0.1, github.com, react.dev, reactflow.dev, www.w3.org

Source & flagged code

5 flagged · loading source
bin/ltcai.jsView file
2L3: const { spawn } = require("node:child_process"); L4: const { spawnSync } = require("node:child_process");
High
Child Process

Package source references child process execution.

bin/ltcai.jsView on unpkg · L2
scripts/run_integration_tests.mjsView file
1#!/usr/bin/env node L2: import { spawn } from "node:child_process"; L3: import { existsSync } from "node:fs"; ... L5: L6: const host = process.env.LTCAI_TEST_HOST || "127.0.0.1"; L7: const port = process.env.LTCAI_TEST_PORT || "8899"; L8: const baseUrl = process.env.LTCAI_TEST_BASE_URL || `http://${host}:${port}`; L9: const venvPython = join(process.cwd(), ".venv", "bin", "python");
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

scripts/run_integration_tests.mjsView on unpkg · L1
scripts/lint_frontend.mjsView file
31L32: const tsc = spawnSync("npx", ["tsc", "-p", "tsconfig.json", "--noEmit"], { cwd: repo, encoding: "utf8" }); L33: if (tsc.status !== 0) fail(`frontend typecheck\n${tsc.stdout}${tsc.stderr}`);
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

scripts/lint_frontend.mjsView on unpkg · L31
telegram_bot.pyView file
path = telegram_bot.py kind = build_helper sizeBytes = 322 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

telegram_bot.pyView on unpkg
static/vendor/icons/tabler-icons.woff2View file
path = static/vendor/icons/tabler-icons.woff2 kind = high_entropy_blob sizeBytes = 820316 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

static/vendor/icons/tabler-icons.woff2View on unpkg

Findings

5 High4 Medium5 Low
HighChild Processbin/ltcai.js
HighShell
HighSame File Env Network Executionscripts/run_integration_tests.mjs
HighRuntime Package Installscripts/lint_frontend.mjs
HighShips High Entropy Blobstatic/vendor/icons/tabler-icons.woff2
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helpertelegram_bot.py
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings