registry  /  @cartridge/controller  /  0.13.13

@cartridge/controller@0.13.13

Cartridge Controller

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 16 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedUrlStrings
Manifest
NoLicense
scanned 68 file(s), 769 KB of source, external domains: api.cartridge.gg, assets.coingecko.com, assets.underware.gg, fonts.googleapis.com, imagedelivery.net, lootsurvivor.io, nums.gg, oxlib.sh, profile.cartridge.gg, static.cartridge.gg, viem.sh, www.w3.org, x.cartridge.gg

Source & flagged code

7 flagged · loading source
bin/build-react-styles.mjsView file
19// `build:deps` script. Output: dist/react/styles.css. L20: import { execFileSync } from "node:child_process"; L21: import {
High
Child Process

Package source references child process execution.

bin/build-react-styles.mjsView on unpkg · L19
19Cross-file remote execution chain: bin/build-react-styles.mjs spawns dist/index.js; helper contains network access plus dynamic code execution. L19: // `build:deps` script. Output: dist/react/styles.css. L20: import { execFileSync } from "node:child_process"; L21: import { ... L66: const tailwindCli = resolve( L67: dirname(require.resolve("tailwindcss/package.json")), L68: "lib/cli.js", ... L89: const interImport = L90: '@import url("https://fonts.googleapis.com/css2?family=Inter:wght@100..900&display=swap");\n'; L91: writeFileSync(out, interImport + readFileSync(out, "utf8"));
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

bin/build-react-styles.mjsView on unpkg · L19
dist/index.jsView file
1import{WalletAccount,num,constants,shortString}from"starknet";import{R as ResponseCodes,t as toArray,K as KEYCHAIN_URL,A as API_URL,I as IMPLEMENTED_AUTH_OPTIONS,B as BaseProvider,... L2: })`,{filename,importModuleDynamically:(_vm_constants_USE_MAIN_CONTEXT_DEFAULT_LOADER=(_vm_constants=vm.constants)==null?void 0:_vm_constants.USE_MAIN_CONTEXT_DEFAULT_LOADER)!=null?...
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/index.jsView on unpkg · L1
1import{WalletAccount,num,constants,shortString}from"starknet";import{R as ResponseCodes,t as toArray,K as KEYCHAIN_URL,A as API_URL,I as IMPLEMENTED_AUTH_OPTIONS,B as BaseProvider,... L2: })`,{filename,importModuleDynamically:(_vm_constants_USE_MAIN_CONTEXT_DEFAULT_LOADER=(_vm_constants=vm.constants)==null?void 0:_vm_constants.USE_MAIN_CONTEXT_DEFAULT_LOADER)!=null?...
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/index.jsView on unpkg · L1
1import{WalletAccount,num,constants,shortString}from"starknet";import{R as ResponseCodes,t as toArray,K as KEYCHAIN_URL,A as API_URL,I as IMPLEMENTED_AUTH_OPTIONS,B as BaseProvider,... L2: })`,{filename,importModuleDynamically:(_vm_constants_USE_MAIN_CONTEXT_DEFAULT_LOADER=(_vm_constants=vm.constants)==null?void 0:_vm_constants.USE_MAIN_CONTEXT_DEFAULT_LOADER)!=null?... ... L5: ${safeToString(this.remoteInfo)}`),this.remoteEntryExports=e,this.remoteEntryExports}async get(e,r,n,s){const{loadFactory:o=!0}=n||{loadFactory:!0},i=await this.getEntry();if(!this... L6: `);super(a,r.cause?{cause:r.cause}:void 0),Object.defineProperty(this,"details",{enumerable:!0,configurable:!0,writable:!0,value:void 0}),Object.defineProperty(this,"docs",{enumera... L7: `,r)}try{window.addEventListener("wallet-standard:app-ready",({detail:r})=>e(r))}catch(r){console.error(`wallet-standard:app-ready event listener could not be added L8: `,r)}}class RegisterWalletEvent extends Event{get detail(){return __classPrivateFieldGet(this,_RegisterWalletEvent_detail,"f")}get type(){return"wallet-standard:register-wallet"}co... L9: query LookupSigners($username: String!) { ... L32: } L33: `,variables:{username:t}}
Medium
Unsafe Vm Context

Package source executes code through a VM context API.

dist/index.jsView on unpkg · L1
1import{WalletAccount,num,constants,shortString}from"starknet";import{R as ResponseCodes,t as toArray,K as KEYCHAIN_URL,A as API_URL,I as IMPLEMENTED_AUTH_OPTIONS,B as BaseProvider,... L2: })`,{filename,importModuleDynamically:(_vm_constants_USE_MAIN_CONTEXT_DEFAULT_LOADER=(_vm_constants=vm.constants)==null?void 0:_vm_constants.USE_MAIN_CONTEXT_DEFAULT_LOADER)!=null?...
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/index.jsView on unpkg · L1
HEADLESS_MODE.mdView file
60patternName = generic_password severity = medium line = 60 matchedText = password...le",
Medium
Secret Pattern

Hardcoded password in HEADLESS_MODE.md

HEADLESS_MODE.mdView on unpkg · L60

Findings

4 High6 Medium6 Low
HighChild Processbin/build-react-styles.mjs
HighShell
HighSame File Env Network Executiondist/index.js
HighCross File Remote Execution Contextbin/build-react-styles.mjs
MediumDynamic Requiredist/index.js
MediumUnsafe Vm Contextdist/index.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
MediumSecret PatternHEADLESS_MODE.md
LowScripts Present
LowEvaldist/index.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License