registry  /  thuban  /  0.3.3

thuban@0.3.3

The safety layer for AI-coded software. Detect hallucinated APIs, ghost code, tech debt, and architecture drift. One command. Zero dependencies.

Static Scan Results

scanned 13d ago · by rust-scanner

Static analysis flagged 16 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 32 file(s), 489 KB of source, external domains: github.com, thuban.dev

Source & flagged code

8 flagged · loading source
packages/scanner/secret-scanner.test.jsView file
24patternName = stripe_live_secret severity = critical line = 24 matchedText = 'const s...";',
Critical
Critical Secret

Package contains a critical-looking secret pattern.

packages/scanner/secret-scanner.test.jsView on unpkg · L24
24patternName = stripe_live_secret severity = critical line = 24 matchedText = 'const s...";',
Critical
Secret Pattern

Stripe live secret key in packages/scanner/secret-scanner.test.js

packages/scanner/secret-scanner.test.jsView on unpkg · L24
30patternName = google_api_key severity = high line = 30 matchedText = fs.write...n');
High
Secret Pattern

Google API key in packages/scanner/secret-scanner.test.js

packages/scanner/secret-scanner.test.jsView on unpkg · L30
25patternName = generic_password severity = medium line = 25 matchedText = 'const p...";',
Medium
Secret Pattern

Hardcoded password in packages/scanner/secret-scanner.test.js

packages/scanner/secret-scanner.test.jsView on unpkg · L25
packages/scanner/code-scanner.jsView file
116id: 'SEC004', L117: name: 'eval() Usage', L118: pattern: /\beval\s*\(/,
Low
Eval

Package source references a known benign dynamic code generation pattern.

packages/scanner/code-scanner.jsView on unpkg · L116
packages/scanner/ghost-code-detector.jsView file
10L11: const fs = require('fs'); L12: const path = require('path');
Medium
Dynamic Require

Package source references dynamic require/import behavior.

packages/scanner/ghost-code-detector.jsView on unpkg · L10
packages/scanner/copy-paste-detector.jsView file
16constructor(opts = {}) { L17: this.rootPath = opts.rootPath || process.cwd(); L18: this.minLines = opts.minLines || 5; // Minimum function size to consider ... L62: L63: // ─── Private ───────────────────────────────────────────── L64:
Low
Weak Crypto

Package source references weak cryptographic algorithms.

packages/scanner/copy-paste-detector.jsView on unpkg · L16
cli.jsView file
84const status = lm.getStatus(); L85: const pkg = JSON.parse(fs.readFileSync(path.join(__dirname, 'package.json'), 'utf-8')); L86: console.log(c('gray', ` v${pkg.version} · ${status.tierName} tier`) + (status.licensed ? c('green', ' ✓') : '') + c('gray', ' · https://thuban.dev')); L87: console.log(''); ... L355: const tmpDir = path.join(os.tmpdir(), 'thuban-scan-' + Date.now()); L356: const { execFileSync } = require('child_process'); L357: try { ... L1752: const { exec } = require('child_process'); L1753: const platform = process.platform; L1754: const cmd = platform === 'win32' ? 'start' : platform === 'darwin' ? 'open' : 'xdg-open'; ... L2203: function getTelemetryConfigPath() { L2204: const home = process.env.HOME || process.env.USERPROFILE || os.homedir();
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

cli.jsView on unpkg · L84

Findings

2 Critical2 High5 Medium7 Low
CriticalCritical Secretpackages/scanner/secret-scanner.test.js
CriticalSecret Patternpackages/scanner/secret-scanner.test.js
HighSandbox Evasion Gated Capabilitycli.js
HighSecret Patternpackages/scanner/secret-scanner.test.js
MediumDynamic Requirepackages/scanner/ghost-code-detector.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
MediumSecret Patternpackages/scanner/secret-scanner.test.js
LowScripts Present
LowEvalpackages/scanner/code-scanner.js
LowWeak Cryptopackages/scanner/copy-paste-detector.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License