registry  /  termi-kids  /  0.1.1

termi-kids@0.1.1

Termi is a friendly coding buddy for kids. Build games, art, stories, and websites right from your computer, with a grown-up approved AI helper and strong safety rails.

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 11 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNativeBindingsNetwork
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 59 file(s), 696 KB of source, external domains: 127.0.0.1, api.anthropic.com, api.openai.com, api.x.ai, auth.openai.com, chatgpt.com, github.com, huggingface.co, kaplayjs.com, nodejs.org, opencollective.com, www.w3.org

Source & flagged code

3 flagged · loading source
bin/termi.jsView file
12// Answered here so a version check never loads (or depends on) the app. L13: const { createRequire } = await import('node:module'); L14: const pkg = createRequire(import.meta.url)('../package.json');
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/termi.jsView on unpkg · L12
dist/auth/oauth.jsView file
340package = termi-kids; repositoryIdentity = termi; dependency = open L340: try { L341: const mod = await import('open'); L342: await mod.default(authorizeUrl);
High
Copied Package Dependency Bridge

Package metadata claims a different repository identity while copied source loads a runtime dependency bridge.

dist/auth/oauth.jsView on unpkg · L340
dist/surfaces/home.jsView file
matchType = previous_version_dangerous_delta matchedPackage = termi-kids@0.1.0 matchedIdentity = npm:dGVybWkta2lkcw:0.1.0 similarity = 0.862 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/surfaces/home.jsView on unpkg

Findings

2 High4 Medium5 Low
HighCopied Package Dependency Bridgedist/auth/oauth.js
HighPrevious Version Dangerous Deltadist/surfaces/home.js
MediumDynamic Requirebin/termi.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings