registry  /  sillyspec  /  3.21.0

sillyspec@3.21.0

⚠ Under review

SillySpec CLI — 流程状态机,让 AI 严格按步骤来

Static Scan Results

scanned 8d ago · by rust-scanner

Static analysis flagged 13 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 55 file(s), 2.30 MB of source, external domains: 127.0.0.1, github.com, grep.app, playwright.dev, vuejs.org, www.w3.org

Source & flagged code

5 flagged · loading source
packages/dashboard/server/executor.jsView file
1import { spawn } from 'child_process' L2:
High
Child Process

Package source references child process execution.

packages/dashboard/server/executor.jsView on unpkg · L1
12const args = String(command || '').trim().split(/\s+/).filter(Boolean) L13: const proc = spawn('npx', ['sillyspec', ...args], { L14: cwd: projectPath,
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

packages/dashboard/server/executor.jsView on unpkg · L12
src/worktree-deps.jsView file
112if (process.platform === 'win32') { L113: execSync(`mklink /J "${linkPath}" "${mainNodeModules}"`, { shell: 'cmd.exe', stdio: ['pipe', 'pipe', 'pipe'] }); L114: return { ok: true, method: 'junction' };
High
Shell

Package source references shell execution.

src/worktree-deps.jsView on unpkg · L112
src/stages/doctor.jsView file
60node -e " L61: const fs = require('fs'); L62: const dir = '.sillyspec/changes';
Medium
Dynamic Require

Package source references dynamic require/import behavior.

src/stages/doctor.jsView on unpkg · L60
src/index.jsView file
matchType = previous_version_dangerous_delta matchedPackage = sillyspec@3.20.5 matchedIdentity = npm:c2lsbHlzcGVj:3.20.5 similarity = 0.811 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

src/index.jsView on unpkg

Findings

1 Critical3 High4 Medium5 Low
CriticalPrevious Version Dangerous Deltasrc/index.js
HighChild Processpackages/dashboard/server/executor.js
HighShellsrc/worktree-deps.js
HighRuntime Package Installpackages/dashboard/server/executor.js
MediumDynamic Requiresrc/stages/doctor.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings