registry  /  tribenest  /  0.6.1

tribenest@0.6.1

tribenest — local dev CLI + MCP server for TribeNest code websites

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 13 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
CopyleftLicenseWildcardDependency
scanned 1 file(s), 90.7 KB of source, external domains: 127.0.0.1, admin.tribenest.co, api.tribenest.co

Source & flagged code

2 flagged · loading source
dist/index.jsView file
9import { createServer } from "http"; L10: import { spawn } from "child_process"; L11: import { randomBytes } from "crypto";
High
Child Process

Package source references child process execution.

dist/index.jsView on unpkg · L9
905// src/commands/upgrade.ts L906: import { spawnSync as spawnSync5 } from "child_process"; L907: async function upgrade() { ... L920: throw new Error( L921: "Upgrade failed. Try running it manually:\n npm install -g tribenest@latest\n(you may need sudo, or fix your global npm prefix if it's not writable)." L922: );
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/index.jsView on unpkg · L905

Findings

3 High4 Medium6 Low
HighChild Processdist/index.js
HighShell
HighRuntime Package Installdist/index.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
MediumWildcard Dependency
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowCopyleft License