Summary
charleswiltgen/axiom/axiom-sqlitedata-migration v was classified as CRITICAL RISK with a risk score of 638. Sigil detected 42 findings across 573 files, covering phases including credential access, code patterns, network exfiltration, provenance, install hooks. Review the findings below before installing this package.
v
27 March 2026, 04:44 UTC
by Sigil Bot
Risk Score
638
Findings
42
Files Scanned
573
Provenance
Findings by Phase
Phase Ordering
Phases are ordered by criticality, with the most dangerous at the top. Click any phase header to expand or collapse its findings. Critical phases are expanded by default.
install-pip-setup-exec
CRITICALsetup.py executes code at install time
repo/mcp-server/dist/bundle.json:4696
"description": "Reference — AVCaptureSession, AVCapturePhotoSettings, AVCapturePhotoOutput, RotationCoordinator, photoQualityPrioritization, deferred processing, AVCaptureMovieFileOutput, session presets, capture device APIs",
"content": "\n# Camera Capture API Reference\n\n## Quick Reference\n\n```swift\n// SESSION SETUP\nimport AVFoundation\n\nlet session = AVCaptureSession()\nlet sessionQueue = DispatchQueue(label: \"camera.session\")\n\nsessionQueue.async {\n session.beginConfWhy was this flagged?
This setup.py calls subprocess, os.system, exec, or eval during package installation. Legitimate packages rarely need to execute arbitrary commands at install time. This pattern is commonly used by malicious packages to download and run payloads, exfiltrate environment variables, or establish persistence. Rated CRITICAL because it runs with the installer's full permissions.
install-pip-setup-exec
CRITICALsetup.py executes code at install time
repo/mcp-server/dist/bundle.json:9663
"description": "Use when implementing widgets, Live Activities, or Control Center controls - enforces correct patterns for timeline management, data sharing, and extension lifecycle to prevent common crashes and memory issues",
"content": "\n# Extensions & Widgets — Discipline\n\n## Core Philosophy\n\n> \"Widgets are not mini apps. They're glanceable views into your app's data, rendered at strategic moments and displayed by the system. Extensions run in sandboxed environments with liWhy was this flagged?
This setup.py calls subprocess, os.system, exec, or eval during package installation. Legitimate packages rarely need to execute arbitrary commands at install time. This pattern is commonly used by malicious packages to download and run payloads, exfiltrate environment variables, or establish persistence. Rated CRITICAL because it runs with the installer's full permissions.
install-pip-setup-exec
CRITICALsetup.py executes code at install time
repo/mcp-server/dist/bundle.json:13548
"description": "Use when implementing speech-to-text, live transcription, or audio transcription. Covers SpeechAnalyzer (iOS 26+), SpeechTranscriber, volatile/finalized results, AssetInventory model management, audio format handling.",
"content": "\n# Speech-to-Text with SpeechAnalyzer\n\n## Overview\n\nSpeechAnalyzer is Apple's new speech-to-text API introduced in iOS 26. It powers Notes, Voice Memos, Journal, and Call Summarization. The on-device model is faster, more accurate, andWhy was this flagged?
This setup.py calls subprocess, os.system, exec, or eval during package installation. Legitimate packages rarely need to execute arbitrary commands at install time. This pattern is commonly used by malicious packages to download and run payloads, exfiltrate environment variables, or establish persistence. Rated CRITICAL because it runs with the installer's full permissions.
Badge
Markdown
[](https://sigilsec.ai/scans/FC3A922E-2331-4B1F-B42E-1B28D012DEF4)HTML
<a href="https://sigilsec.ai/scans/FC3A922E-2331-4B1F-B42E-1B28D012DEF4"><img src="https://sigilsec.ai/badge/skills/charleswiltgen/axiom/axiom-sqlitedata-migration" alt="Sigil Scan"></a>Run This Scan Yourself
Scan your own packages
Run Sigil locally to audit any package before it touches your codebase.
Early Access
Get cloud scanning, threat intel, and CI/CD integration.
Join 150+ developers on the waitlist.
Get threat intelligence and product updates
Security research, new threat signatures, and product updates. No spam.
Other skills scans
Believe this result is incorrect? Request a review or see our Terms of Service and Methodology.