registry  /  @blnkfinance/blnk-cli  /  1.8.1

@blnkfinance/blnk-cli@1.8.1

Static Scan Results

scanned 5h ago · by rust-scanner

Static analysis flagged 8 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 11 file(s), 83.9 KB of source, external domains: api.example.com, discord.gg, docs.blnkfinance.com, github.com

Source & flagged code

2 flagged · loading source
plugins.jsView file
1#!/usr/bin/env node L2: import axios from "axios"; L3: import sqlite3 from "sqlite3"; ... L14: L15: const appDataDir = path.join(os.homedir(), ".blnk-cli"); L16: const dbPath = path.join(appDataDir, "plugin-state.db"); ... L126: const pluginJsonPath = path.join(destination, "plugin.json"); L127: const pluginJson = JSON.parse( L128: fs.readFileSync(pluginJsonPath, "utf8") ... L354: chalk, L355: eventData: {}, L356: module,
Medium
Unsafe Vm Context

Package source executes code through a VM context API.

plugins.jsView on unpkg · L1
core.jsView file
2import inquirer from "inquirer"; L3: import { spawn } from "child_process"; L4: import { fail, failFromError } from "./utils/errors.js"; L5: import { requestApi } from "./utils/axios.js"; L6: import { colorStatus, displayTable } from "./utils/output.js"; ... L254: function startSpinner(label) { L255: const stream = process.stderr; L256: let frameIndex = 0; L257: stream.write(spinnerGray(`${SPINNER_FRAMES[frameIndex]} ${label}`)); L258: ... L277: const trimmed = input.trim(); L278: return trimmed ? JSON.parse(trimmed) : {};
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

core.jsView on unpkg · L2

Findings

1 High3 Medium4 Low
HighSandbox Evasion Gated Capabilitycore.js
MediumUnsafe Vm Contextplugins.js
MediumNetwork
MediumStructural Risk Force Deep Review
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License