registry  /  vigiles  /  12.8.0

vigiles@12.8.0

⚠ Under review

Lint & test the harness your AI agent runs on — verify the references in your CLAUDE.md / AGENTS.md and test that your hooks and skills actually work.

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 13 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNativeBindingsNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 155 file(s), 1.42 MB of source, external domains: 127.0.0.1, code.claude.com, example.com, github.com, json-schema.org, vigiles.dev

Source & flagged code

6 flagged · loading source
dist/dialect-drift.jsView file
47const node_path_1 = require("node:path"); L48: const node_child_process_1 = require("node:child_process"); L49: /**
High
Child Process

Package source references child process execution.

dist/dialect-drift.jsView on unpkg · L47
dist/cli.jsView file
matchType = previous_version_dangerous_delta matchedPackage = vigiles@12.3.0 matchedIdentity = npm:dmlnaWxlcw:12.3.0 similarity = 0.858 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/cli.jsView on unpkg
123const script = `import(${JSON.stringify(fullPath)}).then(m => { const d = m.default?.default ?? m.default; console.log(JSON.stringify(d)); })`; L124: const output = execSync(`npx tsx -e '${script.replace(/'/g, "'\\''")}'`, { L125: encoding: "utf-8",
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/cli.jsView on unpkg · L123
3762"runs the real model on your subscription. Refusing to fire them all non-interactively.\n" + L3763: " → name the eval(s): vigiles eval path/to/x.eval.mjs\n" + L3764: " → or opt in to all: vigiles eval --all");
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/cli.jsView on unpkg · L3762
dist/eval-baseline.jsView file
26*/ L27: const node_fs_1 = require("node:fs"); L28: const node_path_1 = require("node:path");
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/eval-baseline.jsView on unpkg · L26
hooks/post-edit.shView file
path = hooks/post-edit.sh kind = build_helper sizeBytes = 887 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

hooks/post-edit.shView on unpkg

Findings

1 Critical2 High5 Medium5 Low
CriticalPrevious Version Dangerous Deltadist/cli.js
HighChild Processdist/dialect-drift.js
HighRuntime Package Installdist/cli.js
MediumDynamic Requiredist/eval-baseline.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperhooks/post-edit.sh
MediumStructural Risk Force Deep Review
LowScripts Present
LowEvaldist/cli.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings