registry  /  @buffbirb/unclaude  /  1.0.17

@buffbirb/unclaude@1.0.17

An opinionated AI dev tool setup script with a terminal UI. Configure privacy, code intelligence, and tool wrappers for Claude Code and OpenCode.

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 12 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 6 file(s), 128 KB of source, external domains: api.github.com, astral.sh, example.com, github.com, raw.githubusercontent.com

Source & flagged code

3 flagged · loading source
dist/mcp-proxy.jsView file
12*/ L13: import { spawn } from 'child_process'; L14: import { createInterface } from 'readline';
High
Child Process

Package source references child process execution.

dist/mcp-proxy.jsView on unpkg · L12
dist/common.jsView file
384// sudo never blocks waiting for a password the ink TUI can't deliver. L385: export const SUDO_HINT = `Re-run after caching sudo credentials:\n sudo -v && npx @buffbirb/unclaude@latest install`; L386: export async function sudoRun(args) { L387: return new Promise((resolve, reject) => { L388: const proc = spawn('sudo', ['-n', ...args], { stdio: ['ignore', 'ignore', 'pipe'] }); L389: proc.on('close', c => (c === 0 ? resolve() : reject(new Error(`sudo ${args[0]} failed (${c})`))));
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/common.jsView on unpkg · L384
1import { execFile, execFileSync, spawn } from 'child_process'; L2: import { promisify } from 'util'; ... L6: // ── Paths ──────────────────────────────────────────────────────────────────── L7: export const HOME = homedir(); L8: export const AIRC = join(HOME, '.airc'); L9: export const ZSHRC = join(HOME, '.zshrc'); L10: export const CLAUDE_SETTINGS = join(HOME, '.claude', 'settings.json'); ... L145: } L146: if (process.platform === 'darwin' && supported('appleSandbox')) { L147: items.push({ id: 'appleSandbox', label: FEATURE_LABELS.appleSandbox, indent: false }); ... L266: export async function run(cmd, args = []) { L267: const { stdout } = await execFileAsync(cmd, args);
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/common.jsView on unpkg · L1

Findings

3 High4 Medium5 Low
HighChild Processdist/mcp-proxy.js
HighShell
HighRuntime Package Installdist/common.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/common.js
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings