registry  /  regixo  /  0.1.18

regixo@0.1.18

⚠ Under review

Free, local-first data catalog + context layer for AI agents — one command, no Docker, zero metadata egress, read-only MCP. The `regixo` command: scan your sources (metadata only), map the columns that look like personal data, draft the GDPR Art. 30 RoPA

Static Scan Results

scanned 4h ago · by rust-scanner

Static analysis flagged 10 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
CopyleftLicense
scanned 73 file(s), 647 KB of source, external domains: api.example.com, app.regixo.com, hooks.example

Source & flagged code

3 flagged · loading source
dist/portal.jsView file
32return undefined; L33: const mod = (await import(__rewriteRelativeImportExtension(pathToFileURL(path).href))); L34: return mod;
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/portal.jsView on unpkg · L32
dist/commands/connectors.jsView file
46return `#!/usr/bin/env node L47: // Regixo generator for "${name}" — prints this source's SCHEMA (metadata only) to stdout on each scan. L48: // Regixo runs this OUT-OF-PROCESS and ingests only what you print. NEVER print row values (Hard Rule #2): ... L55: // L56: // The token (if the source needs one) is in process.env.${env} — Regixo hands this script your resolved L57: // .env, so a value in .env is here. NEVER hard-code a secret; config stores only the variable NAME. ... L63: if (!token) { console.error('${env} is not set — add it to your .env'); process.exit(1); } L64: // const res = await fetch('https://api.example.com/ping', { headers: { Authorization: \`Bearer \${token}\` } }); L65: // if (!res.ok) { console.error(\`source unreachable (\${res.status})\`); process.exit(1); } ... L76: ]; L77: process.stdout.write(schema.join('\\n') + '\\n'); L78: `;
High
Credential Exfiltration

Source combines credential-like environment material and outbound requests; review data flow before blocking.

dist/commands/connectors.jsView on unpkg · L46
dist/commands/serve-claim.jsView file
matchType = previous_version_dangerous_delta matchedPackage = regixo@0.1.17 matchedIdentity = npm:cmVnaXhv:0.1.17 similarity = 0.958 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/commands/serve-claim.jsView on unpkg

Findings

1 Critical1 High3 Medium5 Low
CriticalPrevious Version Dangerous Deltadist/commands/serve-claim.js
HighCredential Exfiltrationdist/commands/connectors.js
MediumDynamic Requiredist/portal.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowCopyleft License