registry  /  scip-query  /  0.17.2

scip-query@0.17.2

Evidence and verification for AI coding agents: map code, reuse concepts, finish migrations, and gate diffs.

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 13 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNativeBindingsNetworkShell
Supply chain
HighEntropyStringsMinifiedTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 191 file(s), 2.25 MB of source, external domains: github.com, registry.npmjs.org

Source & flagged code

4 flagged · loading source
package.jsonView file
scripts.postinstall = node dist/postinstall.js || true
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node dist/postinstall.js || true
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
dist/command-descriptors-7UUURHWT.jsView file
411\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500`),console.log(`To... L412: ${e.length} unused import(s)`)}),Hp=gc("isolated",{query:({db:e,opts:t,budget:n})=>Ls(e,{scope:w(t,"scope"),minLoc:P(t,"minLoc",3),scanLimit:n.scanLimit,semantic:n.semantic}),forma... L413: ${e.length} isolated symbol(s)`)}),Wp=K("extract-candidates",({db:e,args:t,opts:n,budget:r})=>{let i=zs(e,{scope:w(n,"scope"),minLoc:P(n,"minLoc",10),minCallees:P(n,"minCallees",6)...
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/command-descriptors-7UUURHWT.jsView on unpkg · L411
1#!/usr/bin/env node L2: import{b as Sc}from"./chunk-XTF6ELXT.js";import{a as rt,b as v,c as _e,d as ge,e as kt,f as p,g as lc,h as C,i as $,j as se,k as ae,l as ve,m as Vt,n as bc}from"./chunk-A2GX3PYV.js... L3: `).map(n=>n.slice(3).trim()).filter(n=>n!=="").sort()}function Of(e,t){for(let n of["node_modules"]){let r=ce(e,n),i=ce(t,n);if(xe(r)&&!xe(i))try{Rf(r,i,"junction")}catch{}}}functi... ... L8: `)){if(!n.trim().startsWith("{"))continue;let r=zr(n);if(!r||typeof r!="object")continue;let i=r;if(i.reason!=="compiler-message")continue;let o=i.message;if(!o||typeof o!="object"... L9: `).map(t=>t.trim()).filter(t=>/\berror\b/i.test(t)).map(t=>({file:"",message:t,parseBasis:"heuristic"}))}function Kf(e){let t=e.file.length>0?`${e.file}${e.line?`:${e.line}`:""}${e... L10: `).map(n=>n.trim()).filter(n=>n.length>0).slice(-t)}var Ac={typescript:[".ts",".tsx",".mts",".cts"],javascript:[".js",".jsx",".vue"],java:[".java"],scala:[".scala"],kotlin:[".kt","... ... L19: `).trim();r.removed.push(t),!n.dryRun&&(a.length===0?Mc(i,{force:!0}):ni(i,`${a} L20: `))}function pg(e,t){let n=st(e,".git","hooks");if(!Pt(n)){t.skipped.push({target:".git/hooks/pre-commit",reason:"no .git/hooks director
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/command-descriptors-7UUURHWT.jsView on unpkg · L1

Findings

1 High5 Medium7 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requiredist/command-descriptors-7UUURHWT.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowWeak Cryptodist/command-descriptors-7UUURHWT.js
LowFilesystem
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings