registry  /  @builder.io/buildercode  /  0.14.6

@builder.io/buildercode@0.14.6

⚠ Under review

Builder.io CLI - AI-powered code generation

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 13 finding(s) at 86.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNativeBindingsNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 6 file(s), 2.44 MB of source, external domains: api.figma.com, builder.io, cdn.builder.io, github.com, help.figma.com, mcp.asana.com, mcp.notion.com, react.dev, vscode.dev, www.builder.io, www.figma.com
Oversized source lightweight scan
dist/cli.mjs2.01 MB file, sampled 256 KB
FilesystemNetworkChildProcessEnvironmentVarsCryptoShellHighEntropyStringsUrlStringsbuilder.iogithub.commcp.asana.commcp.notion.comwww.builder.io
dist/credentials-3SHvRLaX.mjs5.62 MB file, sampled 256 KB
FilesystemNetworkChildProcessEnvironmentVarsCryptoShellHighEntropyStringsUrlStringsapi.figma.combuilder.iocdn.builder.iohelp.figma.comwww.builder.iowww.figma.com

Source & flagged code

5 flagged · loading source
dist/pac-CDS0yyLE.mjsView file
15229patternName = aws_access_key severity = critical line = 15229 matchedText = var Q = ...==";
Critical
Critical Secret

Package contains a critical-looking secret pattern.

dist/pac-CDS0yyLE.mjsView on unpkg · L15229
15229patternName = aws_access_key severity = critical line = 15229 matchedText = var Q = ...==";
Critical
Secret Pattern

AWS access key ID in dist/pac-CDS0yyLE.mjs

dist/pac-CDS0yyLE.mjsView on unpkg · L15229
dist/credentials-3SHvRLaX.mjsView file
context = st shebang = isZsh ? "#!/bin/zsh" : isBash ? "#!/bin/bash" : isFish ? "#!/bin/fish" : isSh ? "#!/bin/sh" : "#!/bin/bash";\n if (isFish) {\n scriptExtension = ".fish";\n scriptContent = `${shebang}\n${command}`;\n } else if (isZsh) {\n scriptExtension = ".sh";\n scriptContent = `${shebang}\nsource ~/.zshrc 2>/dev/null || true\nset -e\n${command}`;\n } else {\n scriptExtension = ".sh";\n scriptContent = `${shebang}\nset -e\n${command}`;\n }\n }\n const scriptPath = getTempScriptPath(scriptExtension);\n try {\n fs.writeFileSync(scriptPath, scriptContent, { mode: 493 });\n return scriptPath;\n } catch (error) {\n throw new Error(`Failed to create temporary script: ${error}`, { cause: error });\n }\n};\nconst getTempScriptPath = (extension) => {\n const tempDir = getTempFolder();\n const timestamp = Date.now();\n const random = Math.random().toString(36).substring(2, 8);\n return path.join(tempDir, `builder_temp_${timestamp}_${random}${extension}`);\n};\nconst getCommandWithShellArgs = (command, shell, login = true) => {\n if (isMultiLin
Critical
Encrypted Payload Temp Execution

Source decrypts an embedded payload, writes it to disk, and executes it through a child process.

dist/credentials-3SHvRLaX.mjsView on unpkg
path = dist/credentials-3SHvRLaX.mjs kind = oversized_source_file sizeBytes = 5894545 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/credentials-3SHvRLaX.mjsView on unpkg
path = dist/credentials-3SHvRLaX.mjs kind = oversized_cli_entrypoint sizeBytes = 5894545 magicHex = [redacted]
Medium
Oversized Cli Entrypoint

Package contains an oversized executable-looking CLI entrypoint.

dist/credentials-3SHvRLaX.mjsView on unpkg

Findings

3 Critical3 High4 Medium3 Low
CriticalCritical Secretdist/pac-CDS0yyLE.mjs
CriticalEncrypted Payload Temp Executiondist/credentials-3SHvRLaX.mjs
CriticalSecret Patterndist/pac-CDS0yyLE.mjs
HighChild Process
HighShell
HighOversized Source Filedist/credentials-3SHvRLaX.mjs
MediumNetwork
MediumEnvironment Vars
MediumOversized Cli Entrypointdist/credentials-3SHvRLaX.mjs
MediumStructural Risk Force Deep Review
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings