registry  /  vexi-cli  /  0.9.1

vexi-cli@0.9.1

Open-source AI coding agent for your terminal. Bring your own key, zero config, multilingual.

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 9 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 47 file(s), 291 KB of source, external domains: 192.168.1.100, api.anthropic.com, api.cerebras.ai, api.cloudflare.com, api.deepseek.com, api.groq.com, api.minimax.chat, api.mistral.ai, api.moonshot.cn, api.openai.com, api.z.ai, cdn.jsdelivr.net, dashscope-intl.aliyuncs.com, example.com, generativelanguage.googleapis.com, github.com, my-proxy.example.com, nodejs.org, open.bigmodel.cn, openrouter.ai, raw.githubusercontent.com, registry.npmjs.org, vexi.pro

Source & flagged code

1 flagged · loading source
dist/update/index.jsView file
10import { join } from 'node:path'; L11: import { spawn } from 'node:child_process'; L12: import { confirm } from '@inquirer/prompts'; ... L18: const FETCH_TIMEOUT_MS = 1500; L19: const NPM_REGISTRY = 'https://registry.npmjs.org/vexi-cli/latest'; L20: /** Returns true if version string `a` is strictly greater than `b`. */ ... L45: if (cacheRaw) { L46: const cache = JSON.parse(cacheRaw); L47: const age = Date.now() - new Date(cache.lastCheck).getTime(); ... L81: return new Promise((resolve) => { L82: const cmd = process.platform === 'win32' ? 'npm.cmd' : 'npm'; L83: const child = spawn(cmd, args, { stdio: 'inherit' });
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/update/index.jsView on unpkg · L10

Findings

1 High3 Medium5 Low
HighSandbox Evasion Gated Capabilitydist/update/index.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings