registry  /  prism-kanban  /  1.3.0

prism-kanban@1.3.0

Local-first kanban + agent pipeline runner with terminal and MCP integration.

Static Scan Results

scanned 3h ago · by rust-scanner

Static analysis flagged 18 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 78 file(s), 1.94 MB of source, external domains: 127.0.0.1, github.com, react.dev, registry.npmjs.org, www.w3.org

Source & flagged code

8 flagged · loading source
package.jsonView file
scripts.postinstall = node bin/postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node bin/postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
bin/update.jsView file
15const readline = require('readline'); L16: const { spawnSync } = require('child_process'); L17:
High
Child Process

Package source references child process execution.

bin/update.jsView on unpkg · L15
bin/stop.jsView file
14L15: const path = require('path'); L16: const fs = require('fs');
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/stop.jsView on unpkg · L14
src/services/folio/backend.jsView file
293*/ L294: function openFileBackend({ cwd = process.cwd(), cache = false, root: explicitRoot } = {}) { L295: // 1. Discover .folio/ root ... L419: let raw = {}; L420: try { raw = JSON.parse(fs.readFileSync(manifestPath, 'utf8')) || {}; } catch (_) { /* absent/invalid */ } L421: writeManifest(manifestPath, {
Low
Weak Crypto

Package source references weak cryptographic algorithms.

src/services/folio/backend.jsView on unpkg · L293
server.jsView file
32Manifest entrypoint (manifest.main) carries capability families absent from dist/build output: environment+network L32: L33: const http = require('http'); L34: const path = require('path'); ... L50: L51: const DEFAULT_PORT = parseInt(process.env.PORT || '3000', 10); L52: ... L54: env: process.env, L55: packageRoot: __dirname, L56: homedir: os.homedir(), ... L157: res.writeHead(500, { 'Content-Type': 'application/json; charset=utf-8', 'Content-Length': Buffer.byteLength(payload) }); L158: res.end(payload); L159: });
High
Entrypoint Build Divergence

Manifest entrypoint contains risky behavior absent from dist/build output.

server.jsView on unpkg · L32
bin/init.jsView file
113const serverScript = path.join(PACKAGE_ROOT, 'server.js'); L114: const child = spawn(process.execPath, [serverScript], { L115: detached: true, ... L117: cwd: PACKAGE_ROOT, L118: env: Object.assign({}, process.env, { PORT: String(port) }), L119: }); ... L126: /** L127: * Polls `GET http://127.0.0.1:<port>/api/v1/spaces` every 200 ms until it L128: * returns HTTP 200 or the budget is exhausted.
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

bin/init.jsView on unpkg · L113
terminal.jsView file
235package = prism-kanban; repositoryIdentity = prism; dependency = node-pty L235: L236: /** @type {import('node-pty')|null} */ L237: let nodePty = null;
High
Copied Package Dependency Bridge

Package metadata claims a different repository identity while copied source loads a runtime dependency bridge.

terminal.jsView on unpkg · L235

Findings

6 High5 Medium7 Low
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processbin/update.js
HighShell
HighEntrypoint Build Divergenceserver.js
HighSame File Env Network Executionbin/init.js
HighCopied Package Dependency Bridgeterminal.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requirebin/stop.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowWeak Cryptosrc/services/folio/backend.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings