registry  /  termi-kids  /  0.1.0

termi-kids@0.1.0

Termi is a friendly coding buddy for kids. Build games, art, stories, and websites right from your computer, with a grown-up approved AI helper and strong safety rails.

Static Scan Results

scanned 8h ago · by rust-scanner

Static analysis flagged 10 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNativeBindingsNetwork
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 59 file(s), 693 KB of source, external domains: 127.0.0.1, api.anthropic.com, api.openai.com, api.x.ai, auth.openai.com, chatgpt.com, github.com, huggingface.co, kaplayjs.com, nodejs.org, opencollective.com, www.w3.org

Source & flagged code

2 flagged · loading source
bin/termi.jsView file
12// Answered here so a version check never loads (or depends on) the app. L13: const { createRequire } = await import('node:module'); L14: const pkg = createRequire(import.meta.url)('../package.json');
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/termi.jsView on unpkg · L12
dist/auth/oauth.jsView file
340package = termi-kids; repositoryIdentity = termi; dependency = open L340: try { L341: const mod = await import('open'); L342: await mod.default(authorizeUrl);
High
Copied Package Dependency Bridge

Package metadata claims a different repository identity while copied source loads a runtime dependency bridge.

dist/auth/oauth.jsView on unpkg · L340

Findings

1 High4 Medium5 Low
HighCopied Package Dependency Bridgedist/auth/oauth.js
MediumDynamic Requirebin/termi.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings