registry  /  sigmap  /  8.3.0

sigmap@8.3.0

⚠ Under review

97% token reduction for AI coding. Extracts function & class signatures with TF-IDF ranking to feed only the right files to Claude, Cursor, Copilot, Aider, Windsurf, local LLMs & MCP. Zero dependencies, runs offline via npx.

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 14 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 138 file(s), 1.40 MB of source, external domains: github.com, sigmap.io, www.w3.org

Source & flagged code

6 flagged · loading source
gen-context.jsView file
1582// passed as an argv value, never interpolated into a command string. L1583: const { execFileSync } = require('child_process'); L1584: const SYNC_FETCH = "const u=process.argv[1];const h=require(u.startsWith('https')?'https':'http');let d='';h.get(u,r=>{r.on('data',c=>d+=c);r.on('end',()=>process.stdout.write(d))}...
High
Child Process

Package source references child process execution.

gen-context.jsView on unpkg · L1582
1568const https = require('https'); L1569: const http = require('http'); L1570: const mod = extendsVal.startsWith('https://') ? https : http; ... L1582: // passed as an argv value, never interpolated into a command string. L1583: const { execFileSync } = require('child_process'); L1584: const SYNC_FETCH = "const u=process.argv[1];const h=require(u.startsWith('https')?'https':'http');let d='';h.get(u,r=>{r.on('data',c=>d+=c);r.on('end',()=>process.stdout.write(d))}... L1585: const out = execFileSync(process.execPath, ['-e', SYNC_FETCH, extendsVal], { timeout: 10000, encoding: 'utf8' });
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

gen-context.jsView on unpkg · L1568
527try { L528: _cache[key] = require(path.join(__dirname, key + '.js')); L529: } catch (_) { ... L691: * Instead of writing a flat .willow-context.md file, this adapter sends L692: * signature atoms to a Willow MCP server (https://github.com/rudi193-cmd/willow-1.9) L693: * via HTTP POST. Each indexed file becomes a searchable knowledge atom. ... L783: headers: { 'Content-Type': 'application/json' }, L784: body: JSON.stringify({ L785: name: 'willow_knowledge_ingest', ... L810: } else { L811: process.stderr.write(`[willow-adapter] ${atom.id}: HTTP ${resp.status} (not retryable)\n`); L812: return false;
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

gen-context.jsView on unpkg · L527
gen-project-map.jsView file
15L16: const fs = require('fs'); L17: const path = require('path');
Medium
Dynamic Require

Package source references dynamic require/import behavior.

gen-project-map.jsView on unpkg · L15
src/extractors/python_ast.pyView file
path = src/extractors/python_ast.py kind = build_helper sizeBytes = 12041 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

src/extractors/python_ast.pyView on unpkg
src/verify/hallucination-guard.jsView file
matchType = previous_version_dangerous_delta matchedPackage = sigmap@7.31.0 matchedIdentity = npm:c2lnbWFw:7.31.0 similarity = 0.917 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

src/verify/hallucination-guard.jsView on unpkg

Findings

1 Critical3 High5 Medium5 Low
CriticalPrevious Version Dangerous Deltasrc/verify/hallucination-guard.js
HighChild Processgen-context.js
HighCommand Output Exfiltrationgen-context.js
HighSandbox Evasion Gated Capabilitygen-context.js
MediumDynamic Requiregen-project-map.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helpersrc/extractors/python_ast.py
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings