registry  /  sinapse-ai  /  1.21.0

sinapse-ai@1.21.0

⚠ Under review

SINAPSE AI: Framework de orquestracao de IA — 17 squads, 172 agentes especializados

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 19 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 137 file(s), 1.27 MB of source, external domains: 127.0.0.1, api.service.com, chromewebstore.google.com, cli.github.com, console.anthropic.com, docker.com, docs.npmjs.com, exa.ai, git-scm.com, github.com, google.com, nodejs.org, openrouter.ai, platform.deepseek.com, platform.openai.com, registry.npmjs.org

Source & flagged code

11 flagged · loading source
.sinapse-ai/product/templates/engine/elicitation.jsView file
26patternName = generic_password severity = medium line = 26 matchedText = password...rd',
Medium
Secret Pattern

Package contains a possible secret pattern.

.sinapse-ai/product/templates/engine/elicitation.jsView on unpkg · L26
bin/sinapse.jsView file
11const os = require('os'); L12: const { execSync, spawnSync } = require('child_process'); L13: const { emitDeprecationWarning } = require('./utils/deprecation-warning');
High
Child Process

Package source references child process execution.

bin/sinapse.jsView on unpkg · L11
658stdio: 'inherit', L659: shell: true, L660: windowsVerbatimArguments: false,
High
Shell

Package source references shell execution.

bin/sinapse.jsView on unpkg · L658
8L9: const path = require('path'); L10: const fs = require('fs');
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/sinapse.jsView on unpkg · L8
bin/commands/install.jsView file
matchType = previous_version_dangerous_delta matchedPackage = sinapse-ai@1.19.2 matchedIdentity = npm:c2luYXBzZS1haQ:1.19.2 similarity = 0.658 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

bin/commands/install.jsView on unpkg
3L4: const { execSync, execFileSync } = require('child_process'); L5: const fs = require('fs'); ... L111: const raw = fs.readFileSync(claudeSettingsPath, 'utf8').replace(/^\uFEFF/, ''); L112: try { settings = JSON.parse(raw); } catch { parseFailed = true; } L113: } ... L139: logger.error(`Tente reinstalar: ${CYAN}npm install -g sinapse-ai${NC}`); L140: logger.error('Se persistir, abra um issue: https://github.com/caioimori/sinapse-ai/issues'); L141: process.exit(1); ... L324: // printed above: if any check failed (✗), show a warning banner instead of an L325: // unconditional success banner. The exit code is intentionally left unchanged — L326: // this only changes the message, not the process result.
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

bin/commands/install.jsView on unpkg · L3
bin/commands/local.jsView file
3L4: const { execSync, spawn } = require('child_process'); L5: const fs = require('fs'); ... L15: logger.error(`${RED}Script não encontrado:${NC} ${script}`); L16: logger.error(`Tente: ${CYAN}npx sinapse-ai doctor${NC}`); L17: process.exit(1);
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

bin/commands/local.jsView on unpkg · L3
.claude/hooks/pre-commit-version-check.shView file
path = .claude/hooks/pre-commit-version-check.sh kind = payload_in_excluded_dir sizeBytes = 4223 magicHex = [redacted]
High
Payload In Excluded Dir

Package hides binary, compressed, or executable-looking payloads in test/fixture/hidden paths.

.claude/hooks/pre-commit-version-check.shView on unpkg
path = .claude/hooks/pre-commit-version-check.sh kind = build_helper sizeBytes = 4223 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

.claude/hooks/pre-commit-version-check.shView on unpkg
.sinapse-ai/product/data/supabase-patterns.mdView file
72patternName = generic_password severity = medium line = 72 matchedText = password...rd',
Medium
Secret Pattern

Hardcoded password in .sinapse-ai/product/data/supabase-patterns.md

.sinapse-ai/product/data/supabase-patterns.mdView on unpkg · L72
86patternName = generic_password severity = medium line = 86 matchedText = password...ord'
Medium
Secret Pattern

Hardcoded password in .sinapse-ai/product/data/supabase-patterns.md

.sinapse-ai/product/data/supabase-patterns.mdView on unpkg · L86

Findings

1 Critical4 High9 Medium5 Low
CriticalPrevious Version Dangerous Deltabin/commands/install.js
HighChild Processbin/sinapse.js
HighShellbin/sinapse.js
HighRuntime Package Installbin/commands/local.js
HighPayload In Excluded Dir.claude/hooks/pre-commit-version-check.sh
MediumSecret Pattern.sinapse-ai/product/templates/engine/elicitation.js
MediumDynamic Requirebin/sinapse.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencebin/commands/install.js
MediumShips Build Helper.claude/hooks/pre-commit-version-check.sh
MediumStructural Risk Force Deep Review
MediumSecret Pattern.sinapse-ai/product/data/supabase-patterns.md
MediumSecret Pattern.sinapse-ai/product/data/supabase-patterns.md
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings