registry  /  pi-crew  /  0.9.29

pi-crew@0.9.29

Pi extension for coordinated AI teams, workflows, worktrees, and async task orchestration

Static Scan Results

scanned 2d ago · by rust-scanner

Static analysis flagged 16 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 481 file(s), 3.88 MB of source, external domains: api.anthropic.com, api.github.com, api.z.ai, evil.example, www.minimax.io
Oversized source lightweight scan
dist/index.mjs3.02 MB file, sampled 256 KB
FilesystemNetworkChildProcessEnvironmentVarsCryptoHighEntropyStringsUrlStringsapi.anthropic.comapi.github.comapi.z.aiwww.minimax.io

Source & flagged code

9 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.mjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.mjs
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
docs/followup-plan-2026-05-12.mdView file
239patternName = aws_access_key severity = critical line = 239 matchedText = content:...xt",
Critical
Critical Secret

Package contains a critical-looking secret pattern.

docs/followup-plan-2026-05-12.mdView on unpkg · L239
239patternName = aws_access_key severity = critical line = 239 matchedText = content:...xt",
Critical
Secret Pattern

AWS access key ID in docs/followup-plan-2026-05-12.md

docs/followup-plan-2026-05-12.mdView on unpkg · L239
246patternName = aws_access_key severity = critical line = 246 matchedText = assert.o..."));
Critical
Secret Pattern

AWS access key ID in docs/followup-plan-2026-05-12.md

docs/followup-plan-2026-05-12.mdView on unpkg · L246
scripts/profile-startup.mjsView file
40const start = performance.now(); L41: const { registerPiTeams } = await import(${JSON.stringify(registerImportSpec)}); L42: const importMs = performance.now() - start;
Medium
Dynamic Require

Package source references dynamic require/import behavior.

scripts/profile-startup.mjsView on unpkg · L40
scripts/build-crew-vibes-font.pyView file
path = scripts/build-crew-vibes-font.py kind = build_helper sizeBytes = 10677 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

scripts/build-crew-vibes-font.pyView on unpkg
dist/index.mjsView file
path = dist/index.mjs kind = oversized_source_file sizeBytes = 3161826 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/index.mjsView on unpkg
docs/code-review-2026-05-11.mdView file
171patternName = aws_access_key severity = critical line = 171 matchedText = content:...EF",
Critical
Secret Pattern

AWS access key ID in docs/code-review-2026-05-11.md

docs/code-review-2026-05-11.mdView on unpkg · L171

Findings

4 Critical2 High6 Medium4 Low
CriticalCritical Secretdocs/followup-plan-2026-05-12.md
CriticalSecret Patterndocs/followup-plan-2026-05-12.md
CriticalSecret Patterndocs/followup-plan-2026-05-12.md
CriticalSecret Patterndocs/code-review-2026-05-11.md
HighInstall Time Lifecycle Scriptspackage.json
HighOversized Source Filedist/index.mjs
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requirescripts/profile-startup.mjs
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperscripts/build-crew-vibes-font.py
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings