registry  /  @arbidocs/cli  /  0.3.99

@arbidocs/cli@0.3.99

CLI tool for interacting with ARBI — login, manage workspaces, upload documents, query the RAG assistant

Static Scan Results

scanned 3d ago · by rust-scanner

Static analysis flagged 15 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 5 file(s), 409 KB of source, external domains: central.arbi.work, docs.anthropic.com, docs.openclaw.ai

Source & flagged code

6 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
dist/index.jsView file
10var sdk = require('@arbidocs/sdk'); L11: var child_process = require('child_process'); L12: var client = require('@arbidocs/client');
High
Child Process

Package source references child process execution.

dist/index.jsView on unpkg · L10
3753Your arbi version is out of date (${"0.3.99"} \u2192 ${latest}). Updating...`); L3754: child_process.execSync("npm install -g @arbidocs/cli@latest", { stdio: "inherit" }); L3755: showChangelog("0.3.99", latest);
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/index.jsView on unpkg · L3753
10var sdk = require('@arbidocs/sdk'); L11: var child_process = require('child_process'); L12: var client = require('@arbidocs/client'); ... L87: function getCacheFile() { L88: const configDir = process.env.ARBI_CONFIG_DIR ?? path5__default.default.join(os2__default.default.homedir(), ".arbi"); L89: return path5__default.default.join(configDir, "completions.json"); ... L99: const content = fs5__default.default.readFileSync(getCacheFile(), "utf-8"); L100: const cache = JSON.parse(content); L101: return cache.workspaces.map((w) => w.id); ... L269: const shell = process.env.SHELL || ""; L270: if (shell.includes("zsh")) return path5.join(os2.homedir(), ".zshrc"); L271: return path5.join(os2.homedir(), ".bashrc");
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/index.jsView on unpkg · L10
scripts/bench-upload.mjsView file
23Cross-file remote execution chain: scripts/bench-upload.mjs spawns dist/index.js; helper contains network access plus dynamic code execution. L23: L24: import { spawn } from 'node:child_process' L25: import { writeFileSync, mkdtempSync, rmSync } from 'node:fs' ... L134: L135: return Buffer.from(header + body + xref, 'utf8') L136: } ... L144: }) L145: let stdout = '' L146: let stderr = '' ... L211: if (r.code !== 0) { L212: process.stderr.write(stripAnsi(r.stdout)) L213: process.stderr.write(stripAnsi(r.stderr))
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

scripts/bench-upload.mjsView on unpkg · L23

Findings

5 High5 Medium5 Low
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processdist/index.js
HighShell
HighCross File Remote Execution Contextscripts/bench-upload.mjs
HighRuntime Package Installdist/index.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/index.js
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings