registry  /  tura-ai  /  0.1.18

tura-ai@0.1.18

Local AI coding system with Rust services, command packages, TUI, and GUI workspaces.

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 10 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
CopyleftLicense
scanned 4 file(s), 24.7 KB of source, external domains: github.com

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = node ./scripts/npm/install-release.mjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts/npm/cli-path.mjsView file
4import path from "node:path"; L5: import { spawnSync } from "node:child_process"; L6: import { fileURLToPath } from "node:url"; ... L14: L15: function executableName(name, platform = process.platform) { L16: return platform === "win32" ? `${name}.exe` : name; ... L32: L33: export function cliPathRegistrationSkipped(env = process.env) { L34: return ( ... L62: function posixHome() { L63: return process.env.HOME || homedir(); L64: }
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

scripts/npm/cli-path.mjsView on unpkg · L4

Findings

1 High4 Medium5 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencescripts/npm/cli-path.mjs
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowCopyleft License