registry  /  vibecarbon  /  0.9.0

vibecarbon@0.9.0

Create and manage production-ready Vibecarbon applications

Static Scan Results

scanned 9d ago · by rust-scanner

Static analysis flagged 19 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
CopyleftLicense
scanned 329 file(s), 2.47 MB of source, external domains: 1.1.1.1, aider.chat, analytics.yourdomain.com, antigravityai.org, api.cloudflare.com, api.github.com, api.hetzner.cloud, api.ipify.org, api.paddle.com, api.polar.sh, api.stripe.com, bolt.new, bun.sh, charts.hetzner.cloud, cli.github.com, cloudflareinsights.com, console.cloud.google.com, console.hetzner.cloud, cursor.com, dashboard.stripe.com, docs.anthropic.com, entra.microsoft.com, fsn1.your-objectstorage.com, ghcr.io, github.com, hel1.your-objectstorage.com, hono.dev, hyperformant.co, icanhazip.com, images.unsplash.com, index.docker.io, learn.microsoft.com, lovable.dev, nbg1.your-objectstorage.com, openai.com, plausible.io, polar.sh, portal.azure.com, raw.githubusercontent.com, resend.com, sandbox-api.paddle.com, spam.example, static.cloudflareinsights.com, studio.localhost, supabase-community.github.io, supabase.com, supabase.test, traefik.localhost, v0.dev, vendors.paddle.com

Source & flagged code

10 flagged · loading source
carbon/k8s/values/supabase.values.yamlView file
45patternName = generic_password severity = medium line = 45 matchedText = password...D}}"
Medium
Secret Pattern

Package contains a possible secret pattern.

carbon/k8s/values/supabase.values.yamlView on unpkg · L45
carbon/scripts/k8s-delete.jsView file
10L11: import { execSync } from 'node:child_process'; L12: import { existsSync } from 'node:fs';
High
Child Process

Package source references child process execution.

carbon/scripts/k8s-delete.jsView on unpkg · L10
carbon/src/server/routes/_internal/services-status.tsView file
8L9: const execAsync = promisify(exec); L10:
High
Shell

Package source references shell execution.

carbon/src/server/routes/_internal/services-status.tsView on unpkg · L8
src/shell.jsView file
20L21: import { spawn } from 'node:child_process'; L22: import { existsSync, readFileSync } from 'node:fs'; ... L59: function loadCredentialsHcloudToken() { L60: const credPath = join(homedir(), '.vibecarbon', 'credentials.json'); L61: if (!existsSync(credPath)) return null; L62: try { L63: const data = JSON.parse(readFileSync(credPath, 'utf-8')); L64: return data?.hetzner?.apiToken ?? data?.hetznerApiToken ?? null; ... L85: for (const e of errors) { L86: process.stderr.write(`${c.error('✗')} ${e}\n`); L87: }
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

src/shell.jsView on unpkg · L20
src/status.jsView file
9* L10: * Local-dev checks are context-sensitive: skipped when stdout is not a L11: * TTY OR when `-json` is set (CI / scripting paths don't want them), ... L91: const timeoutId = setTimeout(() => controller.abort(), timeout); L92: const response = await fetch(url, { method: 'GET', signal: controller.signal }); L93: clearTimeout(timeoutId); ... L97: try { L98: data = await response.json(); L99: } catch { ... L307: return { L308: api: { running: api.ok, latencyMs: api.latencyMs, port: ports.api, data: api.data }, L309: vite: { running: vite.ok, port: ports.vite },
High
Credential Exfiltration

Source combines credential-like environment material and outbound requests; review data flow before blocking.

src/status.jsView on unpkg · L9
carbon/scripts/dev.jsView file
153// Spawn server process with its own process group for clean shutdown L154: const server = spawn('npx', ['tsx', 'watch', '--env-file=.env.local', 'src/server/index.ts'], { L155: stdio: 'inherit',
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

carbon/scripts/dev.jsView on unpkg · L153
carbon/k8s/test-local.shView file
path = carbon/k8s/test-local.sh kind = build_helper sizeBytes = 10906 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

carbon/k8s/test-local.shView on unpkg
carbon/.claude/hooks/task-completed-gate.shView file
path = carbon/.claude/hooks/task-completed-gate.sh kind = payload_in_excluded_dir sizeBytes = 414 magicHex = [redacted]
High
Payload In Excluded Dir

Package hides binary, compressed, or executable-looking payloads in test/fixture/hidden paths.

carbon/.claude/hooks/task-completed-gate.shView on unpkg
carbon/.github/workflows/deploy.ymlView file
222patternName = generic_password severity = medium line = 222 matchedText = --from-l...N" \
Medium
Secret Pattern

Hardcoded password in carbon/.github/workflows/deploy.yml

carbon/.github/workflows/deploy.ymlView on unpkg · L222
carbon/volumes/n8n/scripts/setup.shView file
49patternName = generic_password severity = medium line = 49 matchedText = password...H}',
Medium
Secret Pattern

Hardcoded password in carbon/volumes/n8n/scripts/setup.sh

carbon/volumes/n8n/scripts/setup.shView on unpkg · L49

Findings

5 High8 Medium6 Low
HighChild Processcarbon/scripts/k8s-delete.js
HighShellcarbon/src/server/routes/_internal/services-status.ts
HighCredential Exfiltrationsrc/status.js
HighRuntime Package Installcarbon/scripts/dev.js
HighPayload In Excluded Dircarbon/.claude/hooks/task-completed-gate.sh
MediumSecret Patterncarbon/k8s/values/supabase.values.yaml
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencesrc/shell.js
MediumShips Build Helpercarbon/k8s/test-local.sh
MediumStructural Risk Force Deep Review
MediumSecret Patterncarbon/.github/workflows/deploy.yml
MediumSecret Patterncarbon/volumes/n8n/scripts/setup.sh
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowCopyleft License