registry  /  @capacitor/cli  /  8.4.2

@capacitor/cli@8.4.2

Capacitor: Cross-platform apps with JavaScript and the web

AI Security Review

scanned 3h ago · by lpm-firewall-ai

Interactive `cap build` telemetry can include signing-password command options in its outbound metric. No install-time execution or AI-agent control-surface mutation was found.

Static reason
One or more suspicious static signals were detected.
Trigger
Run `cap build` interactively with `--keystorepass` or `--keystorealiaspass` while telemetry is enabled.
Impact
Potential disclosure of Android signing credentials to the telemetry endpoint.
Mechanism
Telemetry serializes complete Commander options into an HTTPS POST.
Rationale
Source inspection found a concrete telemetry credential-leak risk, but not evidence of intentionally malicious install behavior, remote payload execution, or unauthorized persistence. Flag the package version for warning rather than block publication.
Evidence
package.jsonbin/capacitordist/index.jsdist/telemetry.jsdist/ipc.jsdist/common.jsdist/config.jsdist/util/template.jsdist/sysconfig.js
Network endpoints1
metrics-capacitor.outsystems.com

Decision evidence

public snapshot
AI called this Suspicious at 96.0% confidence as Critical Vulnerability with low false-positive risk.
Evidence for warning
  • `dist/index.js` wraps `build` with telemetry while accepting `--keystorepass` and `--keystorealiaspass`.
  • `dist/telemetry.js` serializes all command options via `JSON.stringify(cmd.opts())`.
  • `dist/telemetry.js` enables telemetry on first interactive use and sends the collected metric.
  • `dist/ipc.js` POSTs telemetry JSON to `metrics-capacitor.outsystems.com`.
Evidence against
  • `package.json` has no `preinstall`, `install`, or `postinstall` lifecycle hook.
  • `bin/capacitor` only checks the Node version and invokes `dist/index.js`.
  • Telemetry transmission is limited to interactive sessions with telemetry enabled.
  • Archive assets list as native project templates; no agent-control files or evaluator primitives were found.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 63 file(s), 323 KB of source, external domains: capacitorjs.com, cordova.apache.org, docs.npmjs.com, github.com, ionic.io, ionicframework.com, schemas.amazon.com, www.apple.com, www.npmjs.com, www.w3.org

Source & flagged code

4 flagged · loading source
dist/ipc.jsView file
3exports.receive = exports.send = void 0; L4: const tslib_1 = require("tslib"); L5: const utils_subprocess_1 = require("@ionic/utils-subprocess");
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/ipc.jsView on unpkg · L3
dist/util/cli.jsView file
4package = @capacitor/cli; repositoryIdentity = capacitor; dependency = env-paths L4: const tslib_1 = require("tslib"); L5: const env_paths_1 = tslib_1.__importDefault(require("env-paths")); L6: const errors_1 = require("../errors");
High
Copied Package Dependency Bridge

Package metadata claims a different repository identity while copied source loads a runtime dependency bridge.

dist/util/cli.jsView on unpkg · L4
assets/capacitor-cordova-android-plugins.tar.gzView file
path = assets/capacitor-cordova-android-plugins.tar.gz kind = compressed_blob sizeBytes = 930 magicHex = [redacted]
Medium
Ships Compressed Blob

Package ships compressed or archive-like blobs.

assets/capacitor-cordova-android-plugins.tar.gzView on unpkg
assets/ios-pods-template.tar.gzView file
path = assets/ios-pods-template.tar.gz kind = high_entropy_blob sizeBytes = 155303 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

assets/ios-pods-template.tar.gzView on unpkg

Findings

2 High5 Medium5 Low
HighCopied Package Dependency Bridgedist/util/cli.js
HighShips High Entropy Blobassets/ios-pods-template.tar.gz
MediumDynamic Requiredist/ipc.js
MediumNetwork
MediumEnvironment Vars
MediumShips Compressed Blobassets/capacitor-cordova-android-plugins.tar.gz
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings