registry  /  @caplets/core  /  0.32.1

@caplets/core@0.32.1

Core runtime library for Caplets Code Mode and progressive disclosure gateways.

Static Scan Results

scanned 11d ago · by rust-scanner

Static analysis flagged 17 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsProtestwareTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 23 file(s), 2.94 MB of source, external domains: 127.0.0.1, caplets.dev, caplets.example.com, catalog.caplets.dev, cloud.caplets.dev, developer.mozilla.org, eu-assets.i.posthog.com, eu.i.posthog.com, github.com, json-schema.org, posthog.com, raw.githubusercontent.com, registry.npmjs.org, schemas.microsoft.com, sentry.io, us-assets.i.posthog.com, us.i.posthog.com, www.apple.com, www.cl.cam.ac.uk, yandex.com
Oversized source lightweight scan
dist/user-settings-Bh2a0Dju.js2.73 MB file, sampled 256 KB
FilesystemNetworkChildProcessEnvironmentVarsCryptoShellHighEntropyStringsUrlStringscloud.caplets.devschemas.microsoft.comwww.apple.com

Source & flagged code

8 flagged · loading source
dist/index.jsView file
19import path, { basename, dirname, isAbsolute, join, parse, posix, relative, resolve, sep, win32 } from "node:path"; L20: import childProcess, { execFile, execFileSync, spawn } from "node:child_process"; L21: import process$1, { stdin, stdout } from "node:process";
High
Child Process

Package source references child process execution.

dist/index.jsView on unpkg · L19
3656if (process$1.versions?.electron) parseOptions.from = "electron"; L3657: const execArgv = process$1.execArgv ?? []; L3658: if (execArgv.includes("-e") || execArgv.includes("--eval") || execArgv.includes("-p") || execArgv.includes("--print")) parseOptions.from = "eval";
High
Shell

Package source references shell execution.

dist/index.jsView on unpkg · L3656
19Cross-file remote execution chain: dist/index.js spawns dist/schemas-DlnuZQHF.js; helper contains network access plus dynamic code execution. L19: import path, { basename, dirname, isAbsolute, join, parse, posix, relative, resolve, sep, win32 } from "node:path"; L20: import childProcess, { execFile, execFileSync, spawn } from "node:child_process"; L21: import process$1, { stdin, stdout } from "node:process"; L22: import { Readable, Writable } from "node:stream"; L23: import { STATUS_CODES, createServer } from "node:http"; L24: import { createHash, randomBytes, randomUUID, timingSafeEqual } from "node:crypto"; ... L2063: * @return {string} L2064: * @private L2065: */ ... L2942: this._outputConfiguration = { L2943: writeOut: (str) => process$1.stdout.write(str), L2944: writeErr: (str) => process$1.stderr.write(str),
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/index.jsView on unpkg · L19
19Detached bundled service listener: dist/index.js launches a Node helper and exposes a broad-bound HTTP listener. L19: import path, { basename, dirname, isAbsolute, join, parse, posix, relative, resolve, sep, win32 } from "node:path"; L20: import childProcess, { execFile, execFileSync, spawn } from "node:child_process"; L21: import process$1, { stdin, stdout } from "node:process"; L22: import { Readable, Writable } from "node:stream"; L23: import { STATUS_CODES, createServer } from "node:http"; L24: import { createHash, randomBytes, randomUUID, timingSafeEqual } from "node:crypto"; ... L2063: * @return {string} L2064: * @private L2065: */ ... L2942: this._outputConfiguration = { L2943: writeOut: (str) => process$1.stdout.write(str), L2944: writeErr: (str) => process$1.stderr.write(str),
High
Spawned Bundled Service Listener

Source launches a detached bundled service that exposes a broad-bound HTTP listener.

dist/index.jsView on unpkg · L19
17619patternName = generic_password severity = medium line = 17619 matchedText = password...ed]"
Medium
Secret Pattern

Package contains a possible secret pattern.

dist/index.jsView on unpkg · L17619
dist/completion-DaoCkJpb.jsView file
1329exports$1.applyEdits = exports$1.modify = exports$1.format = exports$1.printParseErrorCode = exports$1.ParseErrorCode = exports$1.stripComments = exports$1.visit = exports$1.getNod... L1330: const formatter = require("./impl/format"); L1331: const edit = require("./impl/edit");
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/completion-DaoCkJpb.jsView on unpkg · L1329
4295try { L4296: const utilInspect = eval("require('util').inspect"); L4297: _custom = utilInspect.custom;
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/completion-DaoCkJpb.jsView on unpkg · L4295
dist/user-settings-Bh2a0Dju.jsView file
path = dist/user-settings-Bh2a0Dju.js kind = oversized_source_file sizeBytes = 2866482 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/user-settings-Bh2a0Dju.jsView on unpkg

Findings

5 High6 Medium6 Low
HighChild Processdist/index.js
HighShelldist/index.js
HighCross File Remote Execution Contextdist/index.js
HighSpawned Bundled Service Listenerdist/index.js
HighOversized Source Filedist/user-settings-Bh2a0Dju.js
MediumSecret Patterndist/index.js
MediumDynamic Requiredist/completion-DaoCkJpb.js
MediumNetwork
MediumEnvironment Vars
MediumProtestware
MediumStructural Risk Force Deep Review
LowScripts Present
LowEvaldist/completion-DaoCkJpb.js
LowFilesystem
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings