registry  /  @binclusive/cli  /  0.5.0

@binclusive/cli@0.5.0

⚠ Under review

Binclusive accessibility CLI — run audits and view violation tickets from your terminal.

Static Scan Results

scanned 3h ago · by rust-scanner

Static analysis flagged 17 finding(s) at 86.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsEvalFilesystemNetwork
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
Manifest
NoLicense
scanned 9 file(s), 1.58 MB of source, external domains: binclusive.io, github.com, json-schema.org, kontrol.binclusive.io, pasaport.binclusive.io, raw.githubusercontent.com, react.dev, underscorejs.org

Source & flagged code

8 flagged · loading source
dist/bin.jsView file
143In order to be iterable, non-array objects must have a [Symbol.iterator]() method.`)}Wa.exports=RZ,Wa.exports.__esModule=!0,Wa.exports.default=Wa.exports});var Zt=x((wxe,Ya)=>{"use... L144: `):"(No errors)",u=AY.create("RelayNetwork","No data returned for operation `"+r._operation.request.node.params.name+"`, got error(s):\n"+l+"\n\nSee the error `source` property for... L145: tell application "System Events" to get value of property list item "CFBundleName" of property list file (app_path & ":Contents:Info.plist")`)}import{promisify as b1}from"util";imp... L146: `)}var ou=e=>(t,n,i,r)=>{let o=i?Object.assign(i,{async:!1}):{async:!1},a=t._zod.run({value:n,issues:[]},o);if(a instanceof Promise)throw new zt;if(a.issues.length){let s=new(r?.Er...
Critical
Remote Asset Decode Execute

Source fetches a remote non-code asset, decodes its contents, and dynamically executes the decoded payload.

dist/bin.jsView on unpkg · L143
136Trigger-reachable chain: manifest.bin -> dist/bin.js L136: `?yield*this.pushCount(1):t==="\r"&&this.charAt(1)===` L137: `?yield*this.pushCount(2):0}*pushSpaces(t){let n=this.pos-1,i;do i=this.buffer[++n];while(i===" "||t&&i===" ");let r=n-this.pos;return r>0&&(yield this.buffer.substr(this.pos,r),th... L138: `)+1;for(;n!==0;)this.onNewLine(this.offset+n),n=this.source.indexOf(` ... L143: In order to be iterable, non-array objects must have a [Symbol.iterator]() method.`)}Wa.exports=RZ,Wa.exports.__esModule=!0,Wa.exports.default=Wa.exports});var Zt=x((wxe,Ya)=>{"use... L144: `):"(No errors)",u=AY.create("RelayNetwork","No data returned for operation `"+r._operation.request.node.params.name+"`, got error(s):\n"+l+"\n\nSee the error `source` property for... L145: tell application "System Events" to get value of property list item "CFBundleName" of property list file (app_path & ":Contents:Info.plist")`)}import{promisify as b1}from"util";imp...
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/bin.jsView on unpkg · L136
143In order to be iterable, non-array objects must have a [Symbol.iterator]() method.`)}Wa.exports=RZ,Wa.exports.__esModule=!0,Wa.exports.default=Wa.exports});var Zt=x((wxe,Ya)=>{"use... L144: `):"(No errors)",u=AY.create("RelayNetwork","No data returned for operation `"+r._operation.request.node.params.name+"`, got error(s):\n"+l+"\n\nSee the error `source` property for... L145: tell application "System Events" to get value of property list item "CFBundleName" of property list file (app_path & ":Contents:Info.plist")`)}import{promisify as b1}from"util";imp...
High
Child Process

Package source references child process execution.

dist/bin.jsView on unpkg · L143
467} L468: `}}})();qN.hash="[redacted]";var fc=qN;var Rr=Z(ae(),1);function et(e,t){return Buffer.from(`${e}:${t}`).toString("base64")}function fd(e){let t=Buffer.from(e... L469: Install it once with:
High
Eval

Package source references dynamic code evaluation.

dist/bin.jsView on unpkg · L467
140`)+1;for(;n!==0;)this.onNewLine(this.offset+n),n=this.source.indexOf(` L141: `,n)+1}return{type:t,offset:this.offset,indent:this.indent,source:this.source}}startBlockValue(t){switch(this.type){case"alias":case"scalar":case"single-quoted-scalar":case"double-... L142: In order to be iterable, non-array objects must have a [Symbol.iterator]() method.`)}var o,a=!0,s=!1;return{s:function(){n=n.call(e)},n:function(){var u=n.next();return a=u.done,u}... L143: In order to be iterable, non-array objects must have a [Symbol.iterator]() method.`)}Wa.exports=RZ,Wa.exports.__esModule=!0,Wa.exports.default=Wa.exports});var Zt=x((wxe,Ya)=>{"use... L144: `):"(No errors)",u=AY.create("RelayNetwork","No data returned for operation `"+r._operation.request.node.params.name+"`, got error(s):\n"+l+"\n\nSee the error `source` property for... L145: tell application "System Events" to get value of property list item "CFBundleName" of property list file (app_path & ":Contents:Info.plist")`)}import{promisify as b1}from"util";imp...
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/bin.jsView on unpkg · L140
136`?yield*this.pushCount(1):t==="\r"&&this.charAt(1)===` L137: `?yield*this.pushCount(2):0}*pushSpaces(t){let n=this.pos-1,i;do i=this.buffer[++n];while(i===" "||t&&i===" ");let r=n-this.pos;return r>0&&(yield this.buffer.substr(this.pos,r),th... L138: `)+1;for(;n!==0;)this.onNewLine(this.offset+n),n=this.source.indexOf(` ... L143: In order to be iterable, non-array objects must have a [Symbol.iterator]() method.`)}Wa.exports=RZ,Wa.exports.__esModule=!0,Wa.exports.default=Wa.exports});var Zt=x((wxe,Ya)=>{"use... L144: `):"(No errors)",u=AY.create("RelayNetwork","No data returned for operation `"+r._operation.request.node.params.name+"`, got error(s):\n"+l+"\n\nSee the error `source` property for... L145: tell application "System Events" to get value of property list item "CFBundleName" of property list file (app_path & ":Contents:Info.plist")`)}import{promisify as b1}from"util";imp...
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/bin.jsView on unpkg · L136
52Cross-file remote execution chain: dist/bin.js spawns dist/chunk-3MDNIFWR.js; helper contains network access plus dynamic code execution. L52: `;return`${h} L53: ${r}${p}`}else return`${f}${a}${d.join(" ")}${a}${p}`}function Ol({indent:e,options:{commentString:t}},n,i,r){if(i&&r&&(i=i.replace(/^\n+/,"")),i){let o=Nl.indentComment(t(i),e);n.... L54: `:" ")}return LV.stringifyString({comment:e,type:t,value:s},i,r,o)}};Iw.binary=FV});var Ml=x(jl=>{"use strict";var Fl=de(),Qp=Br(),jV=Ce(),MV=Gr();function Nw(e,t){if(Fl.isSeq(e))f... ... L106: ${s}`:i}else{let a=o.commentBefore;o.commentBefore=a?`${i} L107: ${a}`:i}}n?(Array.prototype.push.apply(t.errors,this.errors),Array.prototype.push.apply(t.warnings,this.warnings)):(t.errors=this.errors,t.warnings=this.warnings),this.prelude=[],t... L108: ${n.comment}`:n.comment}this.doc.range[2]=n.offset;break}default:this.errors.push(new Qo.YAMLParseError(Ho(t),"UNEXPECTED_TOKEN",`Unsupported token ${t.type}`))}}*end(t=!1,n=-1){if... ... L140: `)+1;for(;n!==0;)this.onNewLine(this.offset+n),n=this.source.indexOf(` L141: `,n)+1}return{type:t,offset:this.offset,indent:this.indent,source:this.source}}startBlockValue(t){switch(this.type){case"alias":…
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/bin.jsView on unpkg · L52
52`;return`${h} L53: ${r}${p}`}else return`${f}${a}${d.join(" ")}${a}${p}`}function Ol({indent:e,options:{commentString:t}},n,i,r){if(i&&r&&(i=i.replace(/^\n+/,"")),i){let o=Nl.indentComment(t(i),e);n.... L54: `:" ")}return LV.stringifyString({comment:e,type:t,value:s},i,r,o)}};Iw.binary=FV});var Ml=x(jl=>{"use strict";var Fl=de(),Qp=Br(),jV=Ce(),MV=Gr();function Nw(e,t){if(Fl.isSeq(e))f... ... L106: ${s}`:i}else{let a=o.commentBefore;o.commentBefore=a?`${i} L107: ${a}`:i}}n?(Array.prototype.push.apply(t.errors,this.errors),Array.prototype.push.apply(t.warnings,this.warnings)):(t.errors=this.errors,t.warnings=this.warnings),this.prelude=[],t... L108: ${n.comment}`:n.comment}this.doc.range[2]=n.offset;break}default:this.errors.push(new Qo.YAMLParseError(Ho(t),"UNEXPECTED_TOKEN",`Unsupported token ${t.type}`))}}*end(t=!1,n=-1){if... ... L140: `)+1;for(;n!==0;)this.onNewLine(this.offset+n),n=this.source.indexOf(` L141: `,n)+1}return{type:t,offset:this.offset,indent:this.indent,source:this.source}}startBlockValue(t){switch(this.type){case"alias":case"scalar":case"single-quoted-scalar":case"double-... L142: In order to be iterable, non-array objects must have a [Symbol.iterator]() me
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/bin.jsView on unpkg · L52

Findings

2 Critical5 High3 Medium7 Low
CriticalRemote Asset Decode Executedist/bin.js
CriticalTrigger Reachable Dangerous Capabilitydist/bin.js
HighChild Processdist/bin.js
HighEvaldist/bin.js
HighSame File Env Network Executiondist/bin.js
HighCommand Output Exfiltrationdist/bin.js
HighCross File Remote Execution Contextdist/bin.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowWeak Cryptodist/bin.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings
LowNo License