registry  /  sillyspec  /  3.20.6

sillyspec@3.20.6

⚠ Under review

SillySpec CLI — 流程状态机,让 AI 严格按步骤来

Static Scan Results

scanned 10d ago · by rust-scanner

Static analysis flagged 13 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 54 file(s), 2.24 MB of source, external domains: 127.0.0.1, github.com, grep.app, playwright.dev, vuejs.org, www.w3.org

Source & flagged code

5 flagged · loading source
packages/dashboard/server/executor.jsView file
1import { spawn } from 'child_process' L2:
High
Child Process

Package source references child process execution.

packages/dashboard/server/executor.jsView on unpkg · L1
12const args = String(command || '').trim().split(/\s+/).filter(Boolean) L13: const proc = spawn('npx', ['sillyspec', ...args], { L14: cwd: projectPath,
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

packages/dashboard/server/executor.jsView on unpkg · L12
src/worktree-deps.jsView file
112if (process.platform === 'win32') { L113: execSync(`mklink /J "${linkPath}" "${mainNodeModules}"`, { shell: 'cmd.exe', stdio: ['pipe', 'pipe', 'pipe'] }); L114: return { ok: true, method: 'junction' };
High
Shell

Package source references shell execution.

src/worktree-deps.jsView on unpkg · L112
src/stages/execute.jsView file
298\`\`\`bash L299: node -e "import('./src/worktree.js').then(w => { const wm = new w.WorktreeManager(); const m = wm.getMeta('<change-name>'); console.log(m ? JSON.stringify({mode: m.mode, path: m.wo... L300: \`\`\`
Medium
Dynamic Require

Package source references dynamic require/import behavior.

src/stages/execute.jsView on unpkg · L298
src/index.jsView file
matchType = previous_version_dangerous_delta matchedPackage = sillyspec@3.20.5 matchedIdentity = npm:c2lsbHlzcGVj:3.20.5 similarity = 0.906 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version.

src/index.jsView on unpkg

Findings

1 Critical3 High4 Medium5 Low
CriticalPrevious Version Dangerous Deltasrc/index.js
HighChild Processpackages/dashboard/server/executor.js
HighShellsrc/worktree-deps.js
HighRuntime Package Installpackages/dashboard/server/executor.js
MediumDynamic Requiresrc/stages/execute.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings