registry  /  synsci  /  1.2.5

synsci@1.2.5

⚠ Under review

Install wizard for OpenScience, the open-source AI research workspace (optionally with Atlas)

Static Scan Results

scanned 6h ago · by rust-scanner

Static analysis flagged 10 finding(s) at 86.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 14.3 KB of source, external domains: openscience.sh

Source & flagged code

4 flagged · loading source
bin/synsci.mjsView file
11// launcher itself, this prevents an infinite spawn chain that exhausts memory. L12: if (process.env.__SYNSCI_LAUNCHER_PID) { L13: process.stderr.write( L14: `synsci: launcher invoked recursively (parent pid ${process.env.__SYNSCI_LAUNCHER_PID}). Exiting.\n`, ... L19: L20: import { execFileSync, execSync, spawn } from "node:child_process" L21: import { existsSync, readFileSync, realpathSync } from "node:fs" ... L103: // 2. ~/.openscience/bin/openscience (curl-installer location) L104: candidates.push(join(homedir(), ".openscience", "bin", "openscience")) L105: ... L126: catch (e) { out = e && typeof e.stdout === "string" ? e.stdout : "" } L127: try { return Boolean(JSON.parse(out).dependencies["@synsci/cli"]) }
Critical
Download Execute

Source downloads or fetches remote code and executes it.

bin/synsci.mjsView on unpkg · L11
11Trigger-reachable chain: manifest.bin -> bin/synsci.mjs L11: // launcher itself, this prevents an infinite spawn chain that exhausts memory. L12: if (process.env.__SYNSCI_LAUNCHER_PID) { L13: process.stderr.write( L14: `synsci: launcher invoked recursively (parent pid ${process.env.__SYNSCI_LAUNCHER_PID}). Exiting.\n`, ... L19: L20: import { execFileSync, execSync, spawn } from "node:child_process" L21: import { existsSync, readFileSync, realpathSync } from "node:fs" ... L103: // 2. ~/.openscience/bin/openscience (curl-installer location) L104: candidates.push(join(homedir(), ".openscience", "bin", "openscience")) L105: ... L126: catch (e) { out = e && typeof e.stdout === "string" ? e.stdout : "" } L127: try { return Boolean(JSON.parse(out).dependencies["@synsci/cli"]) }
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

bin/synsci.mjsView on unpkg · L11
19L20: import { execFileSync, execSync, spawn } from "node:child_process" L21: import { existsSync, readFileSync, realpathSync } from "node:fs"
High
Child Process

Package source references child process execution.

bin/synsci.mjsView on unpkg · L19
99const candidates = [] L100: // 1. Global npm prefix (where `npm i -g @synsci/openscience` puts it) L101: const prefix = runQuiet("npm prefix -g") ... L108: try { L109: const ver = execFileSync(cand, ["--version"], { L110: encoding: "utf-8", stdio: "pipe", timeout: 5000,
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

bin/synsci.mjsView on unpkg · L99

Findings

2 Critical3 High2 Medium3 Low
CriticalDownload Executebin/synsci.mjs
CriticalTrigger Reachable Dangerous Capabilitybin/synsci.mjs
HighChild Processbin/synsci.mjs
HighShell
HighRuntime Package Installbin/synsci.mjs
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings