registry  /  @bobfrankston/rmfmail  /  1.2.102

@bobfrankston/rmfmail@1.2.102

⚠ Under review

Local-first email client with IMAP sync and standalone native app

Static Scan Results

scanned 3d ago · by rust-scanner

Static analysis flagged 23 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedObfuscatedProtestwareTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 413 file(s), 16.0 MB of source, external domains: 127.0.0.1, accounts.google.com, api.anthropic.com, api.openai.com, autoconfig.thunderbird.net, bugs.webkit.org, bugzilla.mozilla.org, calendar.google.com, cdn.jsdelivr.net, cdnjs.cloudflare.com, contacts.google.com, cure53.de, developer.mozilla.org, developers.google.com, docs.microsoft.com, drafts.csswg.org, en.cppreference.com, feross.org, github.com, gmail.googleapis.com, graph.microsoft.com, html.spec.whatwg.org, lea.verou.me, mail.google.com, oauth2.googleapis.com, openjdk.java.net, opensource.org, people.googleapis.com, quilljs.com, rmf39.aaz.lt, tasks.google.com, tasks.googleapis.com, tiptap.dev, translate.google.com, websemantics.uk, www.cse.yorku.ca, www.googleapis.com, www.tiny.cloud, www.w3.org

Source & flagged code

13 flagged · loading source
package.jsonView file
scripts.postinstall = node bin/postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node bin/postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
bin/mailx.jsView file
54import net from "node:net"; L55: import { execSync } from "node:child_process"; L56: import { ports } from "@bobfrankston/miscinfo";
High
Child Process

Package source references child process execution.

bin/mailx.jsView on unpkg · L54
218// reg.exe value for `\"path\" \"%1\"` — double-backslash escapes for L219: // cmd.exe's shell layer, which strips one level before the value reaches L220: // reg.exe. Quoting %1 keeps `?` and `&` from being eaten by cmd before
High
Shell

Package source references shell execution.

bin/mailx.jsView on unpkg · L218
53Cross-file remote execution chain: bin/mailx.js spawns bin/popout-server.js; helper contains network access plus dynamic code execution. L53: import os from "node:os"; L54: import net from "node:net"; L55: import { execSync } from "node:child_process"; L56: import { ports } from "@bobfrankston/miscinfo"; ... L182: const unregister = hasFlag("unregister-mailto"); L183: if (process.platform !== "win32") { L184: console.error("--register-mailto / --unregister-mailto are Windows-only."); ... L196: // (shipped in the npm package) to the per-app location below. L197: const __perAppBin = path.join(process.env.LOCALAPPDATA || "", "rmfmail", "bin"); L198: const __rmfmailtoExe = path.join(__perAppBin, "rmfmailto.exe"); ... L218: // reg.exe value for `\"path\" \"%1\"` — double-backslash escapes for L219: // cmd.exe's shell layer, which strips one level before the value reaches
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

bin/mailx.jsView on unpkg · L53
2175clearInstanceFile(); L2176: const { spawn: spawnChild } = await import("child_process"); L2177: const child = spawnChild("rmfmail", [], { detached: true, stdio: "ignore", shell: true, windowsHide: true }); ... L2190: } L2191: // Auto-update action: run npm install then restart L2192: if (req._action === "performUpdate") {
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

bin/mailx.jsView on unpkg · L2175
53import os from "node:os"; L54: import net from "node:net"; L55: import { execSync } from "node:child_process"; L56: import { ports } from "@bobfrankston/miscinfo"; ... L182: const unregister = hasFlag("unregister-mailto"); L183: if (process.platform !== "win32") { L184: console.error("--register-mailto / --unregister-mailto are Windows-only."); ... L196: // (shipped in the npm package) to the per-app location below. L197: const __perAppBin = path.join(process.env.LOCALAPPDATA || "", "rmfmail", "bin"); L198: const __rmfmailtoExe = path.join(__perAppBin, "rmfmailto.exe"); ... L218: // reg.exe value for `\"path\" \"%1\"` — double-backslash escapes for L219: // cmd.exe's shell layer, which strips one level before the value reaches
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

bin/mailx.jsView on unpkg · L53
client/lib/quill/quill.jsView file
1/*! For license information please see quill.js.LICENSE.txt */ L2: !function(t,e){"object"==typeof exports&&"object"==typeof module?module.exports=e():"function"==typeof define&&define.amd?define([],e):"object"==typeof exports?exports.Quill=e():t.... L3: //# sourceMappingURL=quill.js.map
Low
Eval

Package source references a known benign dynamic code generation pattern.

client/lib/quill/quill.jsView on unpkg · L1
bin/lean-accounts.jsView file
137package = @bobfrankston/rmfmail; repositoryIdentity = mailx; dependency = jsonc-parser L137: const mod = await import(pathToFileURL(path.join(dir, "lib", "esm", "main.js")).href).catch(() => null) || L138: await import("jsonc-parser").catch(() => null); L139: if (mod) { parseJsonc = mod.parse; break; }
High
Copied Package Dependency Bridge

Package metadata claims a different repository identity while copied source loads a runtime dependency bridge.

bin/lean-accounts.jsView on unpkg · L137
136if (fs.existsSync(path.join(dir, "package.json"))) { L137: const mod = await import(pathToFileURL(path.join(dir, "lib", "esm", "main.js")).href).catch(() => null) || L138: await import("jsonc-parser").catch(() => null);
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/lean-accounts.jsView on unpkg · L136
bin/build-bundles.mjsView file
5* mailx's msger custom protocol routes every fetch through one IPC channel L6: * (Rust → daemon stdin → response → stdout), so an ES module import cascade L7: * pays a multi-second roundtrip per file. With ~17 client-side modules each ... L148: logLevel: "info", L149: // .wasm files are inlined as base64 data URLs so the runtime can L150: // decode → Uint8Array → pass as initSqlJs({ wasmBinary }), bypassing L151: // sql.js's fetch(...) of the .wasm. Android WebView refuses to L152: // compile WASM fetched from file:// (even with AllowFileAccess /
Low
Weak Crypto

Package source references weak cryptographic algorithms.

bin/build-bundles.mjsView on unpkg · L5
bin/rmfmailto.exeView file
path = bin/rmfmailto.exe kind = native_binary sizeBytes = 310272 magicHex = [redacted]
Medium
Ships Native Binary

Package ships native binary artifacts.

bin/rmfmailto.exeView on unpkg
packages/mailx-service/index.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @bobfrankston/rmfmail@1.2.87 matchedIdentity = npm:QGJvYmZyYW5rc3Rvbi9ybWZtYWls:1.2.87 similarity = 0.883 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

packages/mailx-service/index.jsView on unpkg

Findings

1 Critical6 High8 Medium8 Low
CriticalPrevious Version Dangerous Deltapackages/mailx-service/index.js
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processbin/mailx.js
HighShellbin/mailx.js
HighCopied Package Dependency Bridgebin/lean-accounts.js
HighCross File Remote Execution Contextbin/mailx.js
HighRuntime Package Installbin/mailx.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requirebin/lean-accounts.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencebin/mailx.js
MediumProtestware
MediumShips Native Binarybin/rmfmailto.exe
MediumStructural Risk Force Deep Review
LowScripts Present
LowEvalclient/lib/quill/quill.js
LowWeak Cryptobin/build-bundles.mjs
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings