registry  /  rivet-design  /  0.12.3

rivet-design@0.12.3

Local visual web development tool with AI-powered code modification

Static Scan Results

scanned 12d ago · by rust-scanner

Static analysis completed at 93.0% confidence. No malicious behavior was detected; 15 low-signal pattern(s) were surfaced and cleared.

Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetwork
Supply chain
HighEntropyStringsMinifiedObfuscatedTelemetryUrlStrings
Manifest
CopyleftLicense
scanned 152 file(s), 3.50 MB of source, external domains: 127.0.0.1, cdn.jsdelivr.net, cdn.skypack.dev, cdnjs.cloudflare.com, claude.ai, cli.github.com, cursor.com, demo.rivet.design, esm.sh, getdesign.md, github.com, gsap.com, reactjs.org, releases.rivet.design, rivet-core-production.up.railway.app, rivet-prototype-host.onrender.com, rivet-proxy.onrender.com, rivet.design, rivet.local, unpkg.com, us.posthog.com, vdonwyzxpnsrihtrrvza.supabase.co, www.are.na, www.gstatic.com, www.pinterest.com, www.w3.org, yandex.com

Source & flagged code

4 flagged · loading source
dist/services/agent/AgentCore.jsView file
101// Use eval to prevent TypeScript from transforming to require() L102: const claudeSDK = await eval("import('@anthropic-ai/claude-agent-sdk')"); L103: // Wrap with Context Company observability when TCC_API_KEY is configured
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/services/agent/AgentCore.jsView on unpkg · L101
bin/rivet.jsView file
4L5: const fs = require('fs'); L6: const path = require('path');
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/rivet.jsView on unpkg · L4
src/ui/dist/favicon.icoView file
path = src/ui/dist/favicon.ico kind = high_entropy_blob sizeBytes = 4820 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

src/ui/dist/favicon.icoView on unpkg
dist/routes/agentVariants.jsView file
matchType = previous_version_dangerous_delta matchedPackage = rivet-design@0.12.2 matchedIdentity = npm:cml2ZXQtZGVzaWdu:0.12.2 similarity = 0.908 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/routes/agentVariants.jsView on unpkg

Findings

2 High4 Medium9 Low
HighShips High Entropy Blobsrc/ui/dist/favicon.ico
HighPrevious Version Dangerous Deltadist/routes/agentVariants.js
MediumDynamic Requirebin/rivet.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvaldist/services/agent/AgentCore.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings
LowCopyleft License