registry  /  tribenest  /  0.1.0

tribenest@0.1.0

tribenest — local dev CLI + MCP server for TribeNest code websites

Static Scan Results

scanned 8h ago · by rust-scanner

Static analysis flagged 12 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
CopyleftLicense
scanned 17 file(s), 59.3 KB of source, external domains: 127.0.0.1, admin.tribenest.co, api.tribenest.co

Source & flagged code

2 flagged · loading source
dist/lib/deploy.jsView file
8// `stream: true` for live output. L9: import { spawnSync } from "node:child_process"; L10: import { existsSync, readdirSync, readFileSync, rmSync, writeFileSync } from "node:fs";
High
Child Process

Package source references child process execution.

dist/lib/deploy.jsView on unpkg · L8
dist/mcp.jsView file
252case "check_errors": { L253: const r = spawnSync("npx", ["tsc", "--noEmit"], { cwd: process.cwd(), encoding: "utf-8" }); L254: const out = (r.stdout || "") + (r.stderr || "");
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/mcp.jsView on unpkg · L252

Findings

3 High3 Medium6 Low
HighChild Processdist/lib/deploy.js
HighShell
HighRuntime Package Installdist/mcp.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowCopyleft License