registry  /  reviewable-md  /  0.1.21

reviewable-md@0.1.21

Preview a markdown file, leave inline review comments, and copy them back to an AI for the next edit.

Static Scan Results

scanned 2d ago · by rust-scanner

Static analysis flagged 18 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedObfuscatedProtestwareTelemetryUrlStrings
Manifest
NoLicense
scanned 57 file(s), 4.15 MB of source, external domains: 127.0.0.1, chevrotain.io, en.wikipedia.org, github.com, jquery.org, langium.org, lodash.com, openjsf.org, reactjs.org, tldrlegal.com, underscorejs.org, www.w3.org

Source & flagged code

6 flagged · loading source
dist/assets/CodeMirrorEditor-C5hqNCdn.jsView file
9`&&r.lineWrapping&&(i&&(i=S.single(i.main.anchor-1,i.main.head-1)),t={from:s.from,to:s.to,insert:Y.of([" "])}),t)return Is(r,t,i,o);if(i&&!Ar(i,s)){let l=!1,a="select";return r.inp... L10: `))};if(($.mac||$.android)&&f.from==o-1&&/^\. ?$/.test(i.text)&&e.contentDOM.getAttribute("autocorrect")=="off"&&(f={from:l,to:a,insert:Y.of([i.text.replace("."," ")])}),this.pendi... L11: `+t.scrub(),s=this.advance(n);return s>-1&&s<n.length?this.complete(e,i,s):!1}finish(e,t){return(this.stage==2||this.stage==3)&&Qi(t.content,this.pos)==t.content.length?this.comple...
High
Child Process

Package source references child process execution.

dist/assets/CodeMirrorEditor-C5hqNCdn.jsView on unpkg · L9
server/daemon.jsView file
156: process.platform === 'win32' ? 'start' : 'xdg-open' L157: spawnImpl(opener, [link], { shell: true, stdio: 'ignore', detached: true }).unref?.() L158: }
High
Shell

Package source references shell execution.

server/daemon.jsView on unpkg · L156
server/cli.jsView file
1Manifest entrypoint (manifest.bin) carries capability families absent from dist/build output: environment+network, execution+network L1: #!/usr/bin/env node L2: import http from 'node:http' L3: import fs from 'node:fs' ... L5: import url from 'node:url' L6: import { spawn } from 'node:child_process' L7: import { DEFAULT_PORT, createHandler, getLanIps, parseArgs } from './lib.js' ... L11: const CLI_PATH = url.fileURLToPath(import.meta.url) L12: const __dirname = path.dirname(CLI_PATH) L13: const ROOT = path.resolve(__dirname, '..') ... L75: if (!enabled) return L76: const opener = process.platform === 'darwin' ? 'open' L77: : process.platform === 'win32' ? 'start' : 'xdg-open'
High
Entrypoint Build Divergence

Manifest entrypoint contains risky behavior absent from dist/build output.

server/cli.jsView on unpkg · L1
91const query = initialPath ? `?path=${encodeURIComponent(initialPath)}` : '' L92: const link = `http://localhost:${previewPort}${query}` L93: ... L102: if (dev) { L103: viteProc = spawn('npx', ['vite', '--host', '127.0.0.1', '--port', String(vitePort), '--strictPort'], { L104: cwd: ROOT, L105: env: { ...process.env, RMD_SERVER_PORT: String(args.port) }, L106: stdio: ['ignore', 'pipe', 'inherit'],
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

server/cli.jsView on unpkg · L91
102if (dev) { L103: viteProc = spawn('npx', ['vite', '--host', '127.0.0.1', '--port', String(vitePort), '--strictPort'], { L104: cwd: ROOT,
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

server/cli.jsView on unpkg · L102
dist/assets/KaTeX_Script-Regular-D3wIWfF6.woff2View file
path = dist/assets/KaTeX_Script-Regular-D3wIWfF6.woff2 kind = high_entropy_blob sizeBytes = 9644 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

dist/assets/KaTeX_Script-Regular-D3wIWfF6.woff2View on unpkg

Findings

6 High4 Medium8 Low
HighChild Processdist/assets/CodeMirrorEditor-C5hqNCdn.js
HighShellserver/daemon.js
HighEntrypoint Build Divergenceserver/cli.js
HighSame File Env Network Executionserver/cli.js
HighRuntime Package Installserver/cli.js
HighShips High Entropy Blobdist/assets/KaTeX_Script-Regular-D3wIWfF6.woff2
MediumNetwork
MediumEnvironment Vars
MediumProtestware
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings
LowNo License