registry  /  snow-ai  /  0.8.10

snow-ai@0.8.10

Agentic coding in your terminal

Static Scan Results

scanned 10d ago · by rust-scanner

Static analysis flagged 18 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNativeBindingsNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 3 file(s), 2.07 MB of source, external domains: example.com, github.com, ipapi.co, nodejs.org, ns.adobe.com, reactjs.org, registry.npmjs.org, registry.npmmirror.com, www.w3.org, www.xfa.org
Oversized source lightweight scan
bundle/cli.mjs29.9 MB file, sampled 256 KB
FilesystemNetworkChildProcessEnvironmentVarsNativeBindingsCryptoShellWebSocketHighEntropyStringsUrlStringsgithub.comnodejs.orgreactjs.orgregistry.npmjs.org

Source & flagged code

9 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.cjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.cjs
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
scripts/postinstall.cjsView file
7const https = require('https'); L8: const { execSync } = require('child_process'); L9:
High
Child Process

Package source references child process execution.

scripts/postinstall.cjsView on unpkg · L7
93try { L94: execSync('npm install --no-save --prefer-offline sharp', { L95: stdio: 'inherit',
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

scripts/postinstall.cjsView on unpkg · L93
bundle/pdf.worker.mjsView file
6002try { L6003: const mod = await import( L6004: /*webpackIgnore: true*/
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bundle/pdf.worker.mjsView on unpkg · L6002
498try { L499: new Function(""); L500: return true;
Low
Eval

Package source references a known benign dynamic code generation pattern.

bundle/pdf.worker.mjsView on unpkg · L498
bundle/tiktoken_bg.wasmView file
path = bundle/tiktoken_bg.wasm kind = wasm_module sizeBytes = 5593287 magicHex = [redacted]
Medium
Ships Wasm Module

Package ships WebAssembly modules.

bundle/tiktoken_bg.wasmView on unpkg
bundle/cli.mjsView file
path = bundle/cli.mjs kind = oversized_source_file sizeBytes = 31310091 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

bundle/cli.mjsView on unpkg
path = bundle/cli.mjs kind = oversized_cli_entrypoint sizeBytes = 31310091 magicHex = [redacted]
Medium
Oversized Cli Entrypoint

Package contains an oversized executable-looking CLI entrypoint.

bundle/cli.mjsView on unpkg

Findings

5 High7 Medium6 Low
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processscripts/postinstall.cjs
HighShell
HighRuntime Package Installscripts/postinstall.cjs
HighOversized Source Filebundle/cli.mjs
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requirebundle/pdf.worker.mjs
MediumNetwork
MediumEnvironment Vars
MediumShips Wasm Modulebundle/tiktoken_bg.wasm
MediumOversized Cli Entrypointbundle/cli.mjs
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvalbundle/pdf.worker.mjs
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings