@zibby/skills
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| phantom-deps | phantom-dep:better-sqlite3 | AI (phantom-deps): better-sqlite3 is a well-known native binding; likely used inside minified bundle, not directly imported. | ai | |
| source-diff | obfuscated-file:dist/trackers/jira-adapter.js | AI (source-diff): esbuild-minified ESM bundle; readable Jira API adapter, no malicious patterns. | ai | |
| source-diff | obfuscated-file:dist/trackers/linear-adapter.js | AI (source-diff): esbuild-minified ESM bundle; readable Linear API adapter, no malicious patterns. | ai | |
| source-diff | obfuscated-file:dist/linear.js | AI (source-diff): esbuild-minified ESM bundle; readable Linear API code, no malicious patterns. | ai | |
| source-diff | obfuscated-file:dist/trackers/plane-adapter.js | AI (source-diff): esbuild-minified ESM bundle; readable Plane API adapter, no malicious patterns. | ai | |
| phantom-deps | phantom-dep:mem0ai | AI (phantom-deps): mem0ai resolves to @zibby/mem0ai (same org); likely used inside minified bundle, not directly imported. | ai | |
| source-diff | obfuscated-file:dist/trackers/github-adapter.js | AI (source-diff): esbuild-minified ESM bundle; readable API adapter code, no obfuscation or malicious patterns. | ai | |
| source-diff | obfuscated-file:dist/trackers/index.js | AI (source-diff): esbuild-minified ESM bundle; readable integration tracker code, no malicious patterns. | ai | |
| source-diff | obfuscated-file:dist/chat-notify.js | AI (source-diff): esbuild-minified ESM bundle; readable Slack API integration logic, no malicious patterns. | ai | |
| source-diff | obfuscated-file:dist/llm-billing.js | AI (source-diff): esbuild-minified ESM bundle; readable LLM billing API logic, no malicious patterns. | ai | |
| source-diff | obfuscated-file:dist/report.js | AI (source-diff): esbuild-minified ESM bundle; readable Zod schema definitions, no malicious patterns. | ai | |
| source-diff | obfuscated-file:dist/lark.js | AI (source-diff): Minified ESM build output; code is readable and implements Lark API integration with no malicious patterns. | ai | |
| dependencies | unvetted-dep:@zibby/agent-workflow | AI (dependencies): Same-org @zibby scoped package; consistent with this monorepo's internal dependency pattern. | ai |
Versions (showing 29 of 29)
| Version | Deps | Published |
|---|---|---|
| 0.1.33 | 5 / 4 | |
| 0.1.32 | 5 / 4 | |
| 0.1.31 | 3 / 4 | |
| 0.1.30 | 3 / 4 | |
| 0.1.29 | 3 / 4 | |
| 0.1.28 | 3 / 4 | |
| 0.1.27 | 3 / 4 | |
| 0.1.26 | 3 / 4 | |
| 0.1.25 | 3 / 1 | |
| 0.1.24 | 3 / 1 | |
| 0.1.23 | 3 / 1 | |
| 0.1.22 | 3 / 1 | |
| 0.1.20 | 1 / 1 | |
| 0.1.18 | 1 / 1 | |
| 0.1.17 | 1 / 1 | |
| 0.1.16 | 1 / 1 | |
| 0.1.15 | 1 / 1 | |
| 0.1.14 | 1 / 1 | |
| 0.1.13 | 1 / 1 | |
| 0.1.12 | 1 / 1 | |
| 0.1.11 | 1 / 1 | |
| 0.1.10 | 1 / 1 | |
| 0.1.8 | 0 / 1 | |
| 0.1.7 | 0 / 1 | |
| 0.1.6 | 0 / 1 | |
| 0.1.5 | 0 / 1 | |
| 0.1.4 | 0 / 1 | |
| 0.1.3 | 0 / 0 | |
| 0.1.0 | 0 / 0 |
v0.1.33
7 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.32
7 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.31
7 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.30
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.29
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.28
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.27
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.26
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.25
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.24
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.23
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.22
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.20
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.18
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.17
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.16
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.15
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.14
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.13
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.12
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.11
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.10
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.6
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.5
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.4
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.