registry  /  vibecarbon  /  0.19.0

vibecarbon@0.19.0

⚠ Under review

Create and manage production-ready Vibecarbon applications

Static Scan Results

scanned 3h ago · by rust-scanner

Static analysis flagged 19 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 367 file(s), 2.77 MB of source, external domains: 1.1.1.1, aider.chat, analytics.yourdomain.com, antigravityai.org, api.cloudflare.com, api.github.com, api.hetzner.cloud, api.ipify.org, api.paddle.com, api.polar.sh, api.stripe.com, app.test, bolt.new, bun.sh, charts.hetzner.cloud, cli.github.com, cloudflareinsights.com, console.cloud.google.com, console.hetzner.cloud, cursor.com, dashboard.stripe.com, docs.anthropic.com, entra.microsoft.com, fsn1.your-objectstorage.com, ghcr.io, github.com, grafana.vibecarbon-observability, hel1.your-objectstorage.com, hono.dev, hyperformant.co, icanhazip.com, images.unsplash.com, index.docker.io, learn.microsoft.com, local.test, loki.vibecarbon-observability, lovable.dev, nbg1.your-objectstorage.com, openai.com, plausible.io, polar.sh, portal.azure.com, prometheus.vibecarbon-observability, raw.githubusercontent.com, resend.com, sandbox-api.paddle.com, spam.example, static.cloudflareinsights.com, studio.localhost, supabase-community.github.io

Source & flagged code

11 flagged · loading source
carbon/k8s/values/supabase.values.yamlView file
45patternName = generic_password severity = medium line = 45 matchedText = password...D}}"
Medium
Secret Pattern

Package contains a possible secret pattern.

carbon/k8s/values/supabase.values.yamlView on unpkg · L45
carbon/scripts/k8s-delete.jsView file
10L11: import { execSync } from 'node:child_process'; L12: import { existsSync } from 'node:fs';
High
Child Process

Package source references child process execution.

carbon/scripts/k8s-delete.jsView on unpkg · L10
carbon/src/server/routes/_internal/services-status.tsView file
8L9: const execAsync = promisify(exec); L10:
High
Shell

Package source references shell execution.

carbon/src/server/routes/_internal/services-status.tsView on unpkg · L8
src/shell.jsView file
20L21: import { spawn } from 'node:child_process'; L22: import { existsSync } from 'node:fs'; ... L70: const envName = /** @type {string|undefined} */ (positional.env) ?? 'prod'; L71: const cwd = process.cwd(); L72: const kubeconfig = join(cwd, '.vibecarbon', `kubeconfig-${envName}`); ... L107: const env = { L108: ...process.env, L109: KUBECONFIG: kubeconfig, ... L117: // Build a custom PS1 that's obviously not the user's normal prompt. L118: // --rcfile lets us inherit ~/.bashrc but layer on the prompt, a welcome L119: // banner showing what's exported, and an `ssh` shell function that
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

src/shell.jsView on unpkg · L20
src/status.jsView file
9* L10: * Local-dev checks are context-sensitive: skipped when stdout is not a L11: * TTY OR when `-json` is set (CI / scripting paths don't want them), ... L92: const timeoutId = setTimeout(() => controller.abort(), timeout); L93: const response = await fetch(url, { method: 'GET', signal: controller.signal }); L94: clearTimeout(timeoutId); ... L98: try { L99: data = await response.json(); L100: } catch { ... L308: return { L309: api: { running: api.ok, latencyMs: api.latencyMs, port: ports.api, data: api.data }, L310: vite: { running: vite.ok, port: ports.vite },
High
Credential Exfiltration

Source combines credential-like environment material and outbound requests; review data flow before blocking.

src/status.jsView on unpkg · L9
carbon/scripts/dev.jsView file
153// Spawn server process with its own process group for clean shutdown L154: const server = spawn('npx', ['tsx', 'watch', '--env-file=.env.local', 'src/server/index.ts'], { L155: stdio: 'inherit',
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

carbon/scripts/dev.jsView on unpkg · L153
carbon/k8s/test-local.shView file
path = carbon/k8s/test-local.sh kind = build_helper sizeBytes = 10906 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

carbon/k8s/test-local.shView on unpkg
carbon/.claude/hooks/task-completed-gate.shView file
path = carbon/.claude/hooks/task-completed-gate.sh kind = payload_in_excluded_dir sizeBytes = 414 magicHex = [redacted]
High
Payload In Excluded Dir

Package hides binary, compressed, or executable-looking payloads in test/fixture/hidden paths.

carbon/.claude/hooks/task-completed-gate.shView on unpkg
src/lib/deploy/compose/index.jsView file
matchType = previous_version_dangerous_delta matchedPackage = vibecarbon@0.9.0 matchedIdentity = npm:dmliZWNhcmJvbg:0.9.0 similarity = 0.375 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

src/lib/deploy/compose/index.jsView on unpkg
carbon/.github/workflows/deploy.ymlView file
222patternName = generic_password severity = medium line = 222 matchedText = --from-l...N" \
Medium
Secret Pattern

Hardcoded password in carbon/.github/workflows/deploy.yml

carbon/.github/workflows/deploy.ymlView on unpkg · L222
carbon/volumes/n8n/scripts/setup.shView file
49patternName = generic_password severity = medium line = 49 matchedText = password...H}',
Medium
Secret Pattern

Hardcoded password in carbon/volumes/n8n/scripts/setup.sh

carbon/volumes/n8n/scripts/setup.shView on unpkg · L49

Findings

1 Critical5 High8 Medium5 Low
CriticalPrevious Version Dangerous Deltasrc/lib/deploy/compose/index.js
HighChild Processcarbon/scripts/k8s-delete.js
HighShellcarbon/src/server/routes/_internal/services-status.ts
HighCredential Exfiltrationsrc/status.js
HighRuntime Package Installcarbon/scripts/dev.js
HighPayload In Excluded Dircarbon/.claude/hooks/task-completed-gate.sh
MediumSecret Patterncarbon/k8s/values/supabase.values.yaml
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencesrc/shell.js
MediumShips Build Helpercarbon/k8s/test-local.sh
MediumStructural Risk Force Deep Review
MediumSecret Patterncarbon/.github/workflows/deploy.yml
MediumSecret Patterncarbon/volumes/n8n/scripts/setup.sh
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings