registry  /  @anna-ai/cli  /  0.1.33

@anna-ai/cli@0.1.33

Anna App developer CLI: scaffold, validate, harness (Phase 2 MVP: init + validate).

Static Scan Results

scanned 7d ago · by rust-scanner

Static analysis flagged 13 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 65 file(s), 362 KB of source, external domains: astral.sh, docs.astral.sh, mock.local, nexus.example.com

Source & flagged code

4 flagged · loading source
dist/doctor-VrfEkedz.jsView file
4import { existsSync, statSync } from "node:fs"; L5: import { spawnSync } from "node:child_process"; L6: import { bold, dim, green, red, yellow } from "kleur/colors";
High
Child Process

Package source references child process execution.

dist/doctor-VrfEkedz.jsView on unpkg · L4
dist/login-DhgBgsfx.jsView file
8async function tryOpenBrowser(url) { L9: if (envBool(process.env.ANNA_LOGIN_NO_OPEN)) return; L10: const opener = process.platform === "darwin" ? "open" : process.platform === "win32" ? "start" : "xdg-open"; L11: try { L12: const { spawn } = await import("node:child_process"); L13: spawn(opener, [url], { ... L23: try { L24: const res = await fetch(`${host}/api/v1/anna-apps/dev/login/start`, { L25: method: "POST",
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/login-DhgBgsfx.jsView on unpkg · L8
11try { L12: const { spawn } = await import("node:child_process"); L13: spawn(opener, [url], { ... L20: const host = canonicalHost(opts.host); L21: process.stdout.write(`▸ logging in to ${host}\n`); L22: let startResp; L23: try { L24: const res = await fetch(`${host}/api/v1/anna-apps/dev/login/start`, { L25: method: "POST",
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/login-DhgBgsfx.jsView on unpkg · L11
templates/executa/python/__SLUG_PY___plugin.pyView file
path = templates/executa/python/__SLUG_PY___plugin.py kind = build_helper sizeBytes = 4817 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

templates/executa/python/__SLUG_PY___plugin.pyView on unpkg

Findings

4 High4 Medium5 Low
HighChild Processdist/doctor-VrfEkedz.js
HighShell
HighSame File Env Network Executiondist/login-DhgBgsfx.js
HighCommand Output Exfiltrationdist/login-DhgBgsfx.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helpertemplates/executa/python/__SLUG_PY___plugin.py
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings