registry  /  reviewable-md  /  0.1.22

reviewable-md@0.1.22

Preview a markdown file, leave inline review comments, and copy them back to an AI for the next edit.

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 18 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedObfuscatedProtestwareTelemetryUrlStrings
Manifest
NoLicense
scanned 57 file(s), 4.15 MB of source, external domains: 127.0.0.1, chevrotain.io, en.wikipedia.org, github.com, jquery.org, langium.org, lodash.com, openjsf.org, reactjs.org, tldrlegal.com, underscorejs.org, www.w3.org

Source & flagged code

6 flagged · loading source
dist/assets/index-B0l9AbHo.jsView file
331`},u]}}const OM=e=>({IMPORTANT:{scope:"meta",begin:"!important"},BLOCK_COMMENT:e.C_BLOCK_COMMENT_MODE,HEXCOLOR:{scope:"number",begin:/#(([0-9a-fA-F]{3,4})|(([0-9a-fA-F]{2}){3,4}))\... L332: ]`,h={scope:"string",variants:[c,u,d,f]},g={scope:"number",variants:[{begin:"\\b0[bB][01]+(?:_[01]+)*\\b"},{begin:"\\b0[oO][0-7]+(?:_[0-7]+)*\\b"},{begin:"\\b0[xX][\\da-fA-F]+(?:_[... L333: https://github.com/highlightjs/highlight.js/issues/2277`),S=U,$=G),z===void 0&&(z=!0);const te={code:$,language:S};Q("before:highlight",te);const oe=te.result?te.result:d(te.langua...
High
Child Process

Package source references child process execution.

dist/assets/index-B0l9AbHo.jsView on unpkg · L331
server/daemon.jsView file
156: process.platform === 'win32' ? 'start' : 'xdg-open' L157: spawnImpl(opener, [link], { shell: true, stdio: 'ignore', detached: true }).unref?.() L158: }
High
Shell

Package source references shell execution.

server/daemon.jsView on unpkg · L156
server/cli.jsView file
1Manifest entrypoint (manifest.bin) carries capability families absent from dist/build output: environment+network, execution+network L1: #!/usr/bin/env node L2: import http from 'node:http' L3: import fs from 'node:fs' ... L5: import url from 'node:url' L6: import { spawn } from 'node:child_process' L7: import { DEFAULT_PORT, createHandler, getLanIps, parseArgs } from './lib.js' ... L11: const CLI_PATH = url.fileURLToPath(import.meta.url) L12: const __dirname = path.dirname(CLI_PATH) L13: const ROOT = path.resolve(__dirname, '..') ... L75: if (!enabled) return L76: const opener = process.platform === 'darwin' ? 'open' L77: : process.platform === 'win32' ? 'start' : 'xdg-open'
High
Entrypoint Build Divergence

Manifest entrypoint contains risky behavior absent from dist/build output.

server/cli.jsView on unpkg · L1
91const query = initialPath ? `?path=${encodeURIComponent(initialPath)}` : '' L92: const link = `http://localhost:${previewPort}${query}` L93: ... L102: if (dev) { L103: viteProc = spawn('npx', ['vite', '--host', '127.0.0.1', '--port', String(vitePort), '--strictPort'], { L104: cwd: ROOT, L105: env: { ...process.env, RMD_SERVER_PORT: String(args.port) }, L106: stdio: ['ignore', 'pipe', 'inherit'],
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

server/cli.jsView on unpkg · L91
102if (dev) { L103: viteProc = spawn('npx', ['vite', '--host', '127.0.0.1', '--port', String(vitePort), '--strictPort'], { L104: cwd: ROOT,
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

server/cli.jsView on unpkg · L102
dist/assets/KaTeX_Script-Regular-D3wIWfF6.woff2View file
path = dist/assets/KaTeX_Script-Regular-D3wIWfF6.woff2 kind = high_entropy_blob sizeBytes = 9644 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

dist/assets/KaTeX_Script-Regular-D3wIWfF6.woff2View on unpkg

Findings

6 High4 Medium8 Low
HighChild Processdist/assets/index-B0l9AbHo.js
HighShellserver/daemon.js
HighEntrypoint Build Divergenceserver/cli.js
HighSame File Env Network Executionserver/cli.js
HighRuntime Package Installserver/cli.js
HighShips High Entropy Blobdist/assets/KaTeX_Script-Regular-D3wIWfF6.woff2
MediumNetwork
MediumEnvironment Vars
MediumProtestware
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings
LowNo License