registry  /  specline  /  2.1.1

specline@2.1.1

Spec-driven AI coding pipeline with deterministic quality gates for Cursor IDE

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 11 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 20 file(s), 96.5 KB of source, external domains: registry.npmjs.org

Source & flagged code

3 flagged · loading source
lib/gate.mjsView file
2import { join } from 'path'; L3: import { spawnSync } from 'child_process'; L4: import { PACKAGE_ROOT } from './paths.mjs';
High
Child Process

Package source references child process execution.

lib/gate.mjsView on unpkg · L2
cli.mjsView file
238try { L239: execSync('npm install -g specline@latest', { stdio: 'inherit' }); L240: } catch (err) {
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

cli.mjsView on unpkg · L238
core/gates/pipeline-gate.shView file
path = core/gates/pipeline-gate.sh kind = build_helper sizeBytes = 45939 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

core/gates/pipeline-gate.shView on unpkg

Findings

3 High4 Medium4 Low
HighChild Processlib/gate.mjs
HighShell
HighRuntime Package Installcli.mjs
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helpercore/gates/pipeline-gate.sh
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings