registry  /  soloforge  /  1.1.112

soloforge@1.1.112

AI-driven development workflow system - one person does the work of a five-person team

Static Scan Results

scanned 5d ago · by rust-scanner

Static analysis flagged 13 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 326 file(s), 2.54 MB of source, external domains: opencode.ai

Source & flagged code

5 flagged · loading source
dist/context/engine/views/file_impact.jsView file
8* 被谁调用:管线上下文解析、视图查询 L9: * 调用谁:node:fs、node:path、node:child_process、view_registry、logger L10: *
High
Child Process

Package source references child process execution.

dist/context/engine/views/file_impact.jsView on unpkg · L8
dist/core/doctor_service.jsView file
29import { existsSync, readdirSync, readFileSync } from "node:fs"; L30: import { execa } from "execa"; L31: function projectContracts(projectRoot) {
High
Shell

Package source references shell execution.

dist/core/doctor_service.jsView on unpkg · L29
dist/gate/release/gate_checks/checkWorkflowNavigation.jsView file
27// 2. 核心导出存在性 L28: // eslint-disable-next-line @typescript-eslint/consistent-type-imports -- 动态导入需要 typeof import() 类型声明 L29: let nav;
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/gate/release/gate_checks/checkWorkflowNavigation.jsView on unpkg · L27
dist/verify/audit/probe_executor.jsView file
109async execute(rule, _ctx) { L110: const { exitCode, stdout, stderr } = await execa("npx", ["vitest", "run", rule.probe_payload], { L111: reject: false,
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/verify/audit/probe_executor.jsView on unpkg · L109
dist/verify/contracts/code_maintainability_observability_contract.jsView file
84patternName = generic_password severity = medium line = 84 matchedText = // logge..., t)
Medium
Secret Pattern

Hardcoded password in dist/verify/contracts/code_maintainability_observability_contract.js

dist/verify/contracts/code_maintainability_observability_contract.jsView on unpkg · L84

Findings

3 High5 Medium5 Low
HighChild Processdist/context/engine/views/file_impact.js
HighShelldist/core/doctor_service.js
HighRuntime Package Installdist/verify/audit/probe_executor.js
MediumDynamic Requiredist/gate/release/gate_checks/checkWorkflowNavigation.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
MediumSecret Patterndist/verify/contracts/code_maintainability_observability_contract.js
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings