registry  /  scip-query  /  0.10.12

scip-query@0.10.12

⚠ Under review

Evidence and verification for AI coding agents: map code, reuse concepts, finish migrations, and gate diffs.

Static Scan Results

scanned 15d ago · by rust-scanner

Static analysis flagged 19 finding(s) at 86.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNativeBindingsNetworkShell
Supply chain
HighEntropyStringsMinifiedTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 162 file(s), 1.24 MB of source, external domains: github.com

Source & flagged code

9 flagged · loading source
package.jsonView file
scripts.postinstall = node dist/postinstall.js || true
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node dist/postinstall.js || true
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
dist/runtime.jsView file
1import{c as k,d as E,e as M}from"./chunk-ONPCQ2PM.js";import{a as w}from"./chunk-UUBMFL3F.js";import{readFileSync as $,writeFileSync as D,existsSync as j,mkdirSync as _}from"fs";im... L2: `),t}function f(i){return _(i,{recursive:!0}),i}import{execFileSync as O,fork as L}from"child_process";import{statSync as U,watch as H}from"fs";import{join as q,relative as X}from"... L3: //# sourceMappingURL=runtime.js.map
High
Child Process

Package source references child process execution.

dist/runtime.jsView on unpkg · L1
dist/chunk-RGKRYO22.jsView file
1import{a as ce}from"./chunk-XHMVZFA6.js";import{a as ae}from"./chunk-7XTO4YXB.js";import{a as S}from"./chunk-B32FX5KB.js";import{a as se}from"./chunk-RUV5IY25.js";import{a as oe}fr... L2: `).toLowerCase(),t=[],n=A(i,[".scipquery","declaredcouplings","suppression","suppressions","config","configuration","json"]);if(n.length>0)return t.push(`configuration/example term... L3: `),{path:n,findingCount:t.length}}function ue(e,i={}){let t=j(e,i.path);if(!Ee(t))throw new Error(`No baseline found at ${t}. Create one with: scip-query health --write-baseline`);...
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/chunk-RGKRYO22.jsView on unpkg · L1
dist/cli.jsView file
791*.d.ts L792: `;function Xh(e,t,n){let i=ij(t,n);if(!i)return!1;try{return e.ignores(i)}catch{return!1}}function ij(e,t){if(!t||t===".")return null;if(!Jh(t)&&!t.startsWith(".."))return t.replac... L793: `),n}function ty(e,t){let n=At(e,co),i=Ue(e),r={...i,suppressions:[...i.suppressions??[],t]},o=Yi(r,{projectRoot:e}).filter(s=>s.level==="error");if(o.length>0){let s=o.map(a=>`${a... L794: `),{path:n,suppressionCount:r.suppressions?.length??0}}function pu(e){return oj(e,{recursive:!0}),e}function dj(e){return typeof e=="object"&&e!==null&&!Array.isArray(e)}function N... L795: ${m}`:""}`));return}try{t(JSON.parse(Buffer.concat(o).toString("utf8")))}catch(p){n(new Error(`${e.label} returned invalid JSON: ${p instanceof Error?p.message:p}`))}})})}async fun... ... L805: Axes:`),console.log(` Deletable: ${t.deletable.loc} LOC across ${t.deletable.symbols} symbols`),t.changeAmplification){let i=t.changeAmplification;console.log(` Ch... L806: Affected consumer files:`),N.list(e.affectedConsumers,t=>` ${t.file} (${t.consumedSymbols} symbol(s))`))}var uo=fu,I=(e=>parseInt(e,10)),mo=(e=>{let t=parseInt(e,10);if(!Number.i... L807: `),console.log("Or download manually:
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/cli.jsView on unpkg · L791
869`).get();return{version:2,tsconfig:n,files:ui(t),db:i}}function v1(e){let t=lb();return{projectRoot:e.projectRoot,context:Zy(e.projectRoot,e.configPath),symbolLookup:eb(e.db,e.proj... L870: Install from: https://github.com/sourcegraph/scip/releases`);if(t("scip CLI not found on PATH. Attempting auto-install..."),!Sy(t))throw new Error(`The scip CLI is required but cou... L871: Install manually from: https://github.com/sourcegraph/scip/releases`)}}function z1(e){let t=[],n=[],i=e.languages.map((r,o)=>({language:r,scipPath:e.languages.length>1?yb(e.tempOut... ... L876: `),()=>{try{N1(n)}finally{ho(e,{force:!0})}}}function Z1(e){try{let t=JSON.parse(ba(e,"utf-8"));return typeof t.pid!="number"||!Number.isInteger(t.pid)||t.pid<=0?null:{version:1,pi... L877: `),go(n,e)}function kb(e,t){try{let n=JSON.parse(ba(e,"utf-8"));if(n.version!==2&&n.version!==3)return;Rb(e,{...n,lastRefresh:t})}catch{}}function Hu(e){return{trigger:e.trigger??{... L878: `).map(o=>o.slice(3).trim()).filter(o=>o!==""));return[...new Set(t.batches.flatMap(o=>o.entries.map(s=>s.file)))].filter(o=>i.has(o)).sort()}function PH(e,t){for(let n of["node_mo... ... L880: `),o=new Set;for(let s of t){let a=DH(i,s.star
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/cli.jsView on unpkg · L869
dist/postinstall.jsView file
1Install-time AI-agent control hijack evidence: L1: #!/usr/bin/env node L2: import{c as g,d as k,e as m,f}from"./chunk-ONPCQ2PM.js";import{existsSync as p,mkdirSync as L,symlinkSync as v,readlinkSync as b,unlinkSync as q}from"fs";import{join as e,dirname a... L3: ${i.installed.length} skill(s) installed, ${i.alreadyLinked.length} already linked.`),!g())console.log(` Payload evidence from skills/scip-api-impact/SKILL.md: L1: --- L2: name: scip-api-impact
Critical
Ai Agent Control Hijack

Install-time source drops package-supplied AI-agent/MCP control files or instructions.

dist/postinstall.jsView on unpkg · L1
scripts/evidence-product-contract.mjsView file
1Cross-file remote execution chain: scripts/evidence-product-contract.mjs spawns dist/cli.js; helper contains network access plus dynamic code execution. L1: #!/usr/bin/env node L2: import { spawnSync } from 'node:child_process'; L3: import { createHash } from 'node:crypto'; ... L16: const args = parseArgs(process.argv.slice(2)); L17: const projectRoot = process.cwd(); L18: const cliPath = resolve(projectRoot, 'dist/cli.js'); ... L30: const status = runCli(['status', '--json'], { profile: false }); L31: if (status.exitCode !== 0) { L32: process.stderr.write(status.stderr.toString()); L33: process.exit(status.exitCode ?? 1); ... L35: L36: const statusJson = JSON.parse(status.stdout.toString());
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

scripts/evidence-product-contract.mjsView on unpkg · L1
vendor/scip/win32-arm64/scip.exeView file
path = vendor/scip/win32-arm64/scip.exe kind = native_binary sizeBytes = 19709440 magicHex = [redacted]
Medium
Ships Native Binary

Package ships native binary artifacts.

vendor/scip/win32-arm64/scip.exeView on unpkg

Findings

1 Critical6 High6 Medium6 Low
CriticalAi Agent Control Hijackdist/postinstall.js
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processdist/runtime.js
HighShell
HighSame File Env Network Executiondist/cli.js
HighCommand Output Exfiltrationdist/cli.js
HighCross File Remote Execution Contextscripts/evidence-product-contract.mjs
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requiredist/chunk-RGKRYO22.js
MediumNetwork
MediumEnvironment Vars
MediumShips Native Binaryvendor/scip/win32-arm64/scip.exe
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings