registry  /  regixo  /  0.1.17

regixo@0.1.17

Free, local-first data catalog + context layer for AI agents — one command, no Docker, zero metadata egress, read-only MCP. The `regixo` command — scan (metadata only), map, classify, draft the RoPA/DORA record, invite, verify, watch, plus bring-your-own

Static Scan Results

scanned 1d ago · by rust-scanner

Static analysis completed at 65.0% confidence. No malicious behavior was detected; 9 low-signal pattern(s) were surfaced and cleared.

Static reason
No blocking static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
CopyleftLicense
scanned 72 file(s), 634 KB of source, external domains: api.example.com, app.regixo.com, hooks.example

Source & flagged code

2 flagged · loading source
dist/portal.jsView file
32return undefined; L33: const mod = (await import(__rewriteRelativeImportExtension(pathToFileURL(path).href))); L34: return mod;
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/portal.jsView on unpkg · L32
dist/commands/connectors.jsView file
46return `#!/usr/bin/env node L47: // Regixo generator for "${name}" — prints this source's SCHEMA (metadata only) to stdout on each scan. L48: // Regixo runs this OUT-OF-PROCESS and ingests only what you print. NEVER print row values (Hard Rule #2): ... L55: // L56: // The token (if the source needs one) is in process.env.${env} — Regixo hands this script your resolved L57: // .env, so a value in .env is here. NEVER hard-code a secret; config stores only the variable NAME. ... L63: if (!token) { console.error('${env} is not set — add it to your .env'); process.exit(1); } L64: // const res = await fetch('https://api.example.com/ping', { headers: { Authorization: \`Bearer \${token}\` } }); L65: // if (!res.ok) { console.error(\`source unreachable (\${res.status})\`); process.exit(1); } ... L76: ]; L77: process.stdout.write(schema.join('\\n') + '\\n'); L78: `;
High
Credential Exfiltration

Source combines credential-like environment material and outbound requests; review data flow before blocking.

dist/commands/connectors.jsView on unpkg · L46

Findings

1 High3 Medium5 Low
HighCredential Exfiltrationdist/commands/connectors.js
MediumDynamic Requiredist/portal.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowCopyleft License