registry  /  @cline/core  /  0.0.56

@cline/core@0.0.56

⚠ Under review

Cline Core SDK for Node Runtime

Static Scan Results

scanned 1d ago · by rust-scanner

Static analysis flagged 17 finding(s) at 86.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedTelemetryUrlStrings
Manifest
NoLicense
scanned 6 file(s), 2.31 MB of source, external domains: 127.0.0.1, api.ai, api.hicap.ai, api.openai.com, data.cline.bot, github.com, inference.baseten.co, inference.poolside.ai, models.dev

Source & flagged code

8 flagged · loading source
dist/index.jsView file
1import{createRequire as NA}from"node:module";var MA=Object.defineProperty;var RA=($)=>$;function EA($,Z){this[$]=RA.bind(null,Z)}var n9=($,Z)=>{for(var Q in Z)MA($,Q,{get:Z[Q],enum... L2: `,"utf8"),hU()}function vZ(){return D0().telemetryOptOut}function gU($,Z={}){G1({...D0(),telemetryOptOut:$},Z)}function mU(){return D0().autoUpdateEnabled}function vU($,Z={}){G1({.... L3: `)}function zz($){if(!$||$.length===0)return[];let Z=[];for(let Q of $){let W=Tz(Q);if(W)Z.push(W)}return Z}function Tz($){let Z=$.trim();if(!Z)return;let Q=Z.match(/^data:([^;,]+)... L4: `),J}finally{X5.delete($.lockDir),ST($)}}function U1($,Z,Q={}){let W=bT($,Q);return WV(W,$,Z)}async function Y5($,Z,Q={}){let W=await yT($,Q);return WV(W,$,Z)}function hT($){let Z=... L5: <html lang="en"> ... L44: </body> L45: </html>`;function OJ($){let Z="";for(let Q=0;Q<$.length;Q+=1)Z+=String.fromCharCode($[Q]??0);return btoa(Z).replace(/\+/g,"-").replace(/\//g,"_").replace(/=+$/g,"")}async function ... L46: `)}}var tZ=ED();function eZ($,Z,Q){if(typeof $==="number"&&$>0)return $;if(Q){let W=process.env[Q];if(W){let J=Number(W);if(Number.isInteger(J)&&J>0)return J}}return Z}async functi...
Critical
Credential Exfiltration

Source appears to send environment or credential material to an external endpoint.

dist/index.jsView on unpkg · L1
1Trigger-reachable chain: manifest.main -> dist/index.js L1: import{createRequire as NA}from"node:module";var MA=Object.defineProperty;var RA=($)=>$;function EA($,Z){this[$]=RA.bind(null,Z)}var n9=($,Z)=>{for(var Q in Z)MA($,Q,{get:Z[Q],enum... L2: `,"utf8"),hU()}function vZ(){return D0().telemetryOptOut}function gU($,Z={}){G1({...D0(),telemetryOptOut:$},Z)}function mU(){return D0().autoUpdateEnabled}function vU($,Z={}){G1({.... L3: `)}function zz($){if(!$||$.length===0)return[];let Z=[];for(let Q of $){let W=Tz(Q);if(W)Z.push(W)}return Z}function Tz($){let Z=$.trim();if(!Z)return;let Q=Z.match(/^data:([^;,]+)... L4: `),J}finally{X5.delete($.lockDir),ST($)}}function U1($,Z,Q={}){let W=bT($,Q);return WV(W,$,Z)}async function Y5($,Z,Q={}){let W=await yT($,Q);return WV(W,$,Z)}function hT($){let Z=... L5: <html lang="en"> ... L44: </body> L45: </html>`;function OJ($){let Z="";for(let Q=0;Q<$.length;Q+=1)Z+=String.fromCharCode($[Q]??0);return btoa(Z).replace(/\+/g,"-").replace(/\//g,"_").replace(/=+$/g,"")}async function ... L46: `)}}var tZ=ED();function eZ($,Z,Q){if(typeof $==="number"&&$>0)return $;if(Q){let W=process.env[Q];if(W){let J=Number(W);if(Number.isInteger(J)&&J>0)return J}}…
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/index.jsView on unpkg · L1
44</body> L45: </html>`;function OJ($){let Z="";for(let Q=0;Q<$.length;Q+=1)Z+=String.fromCharCode($[Q]??0);return btoa(Z).replace(/\+/g,"-").replace(/\//g,"_").replace(/=+$/g,"")}async function ... L46: `)}}var tZ=ED();function eZ($,Z,Q){if(typeof $==="number"&&$>0)return $;if(Q){let W=process.env[Q];if(W){let J=Number(W);if(Number.isInteger(J)&&J>0)return J}}return Z}async functi...
High
Child Process

Package source references child process execution.

dist/index.jsView on unpkg · L44
44</body> L45: </html>`;function OJ($){let Z="";for(let Q=0;Q<$.length;Q+=1)Z+=String.fromCharCode($[Q]??0);return btoa(Z).replace(/\+/g,"-").replace(/\//g,"_").replace(/=+$/g,"")}async function ... L46: `)}}var tZ=ED();function eZ($,Z,Q){if(typeof $==="number"&&$>0)return $;if(Q){let W=process.env[Q];if(W){let J=Number(W);if(Number.isInteger(J)&&J>0)return J}}return Z}async functi...
High
Shell

Package source references shell execution.

dist/index.jsView on unpkg · L44
44</body> L45: </html>`;function OJ($){let Z="";for(let Q=0;Q<$.length;Q+=1)Z+=String.fromCharCode($[Q]??0);return btoa(Z).replace(/\+/g,"-").replace(/\//g,"_").replace(/=+$/g,"")}async function ... L46: `)}}var tZ=ED();function eZ($,Z,Q){if(typeof $==="number"&&$>0)return $;if(Q){let W=process.env[Q];if(W){let J=Number(W);if(Number.isInteger(J)&&J>0)return J}}return Z}async functi...
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/index.jsView on unpkg · L44
44</body> L45: </html>`;function OJ($){let Z="";for(let Q=0;Q<$.length;Q+=1)Z+=String.fromCharCode($[Q]??0);return btoa(Z).replace(/\+/g,"-").replace(/\//g,"_").replace(/=+$/g,"")}async function ... L46: `)}}var tZ=ED();function eZ($,Z,Q){if(typeof $==="number"&&$>0)return $;if(Q){let W=process.env[Q];if(W){let J=Number(W);if(Number.isInteger(J)&&J>0)return J}}return Z}async functi...
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/index.jsView on unpkg · L44
3`)}function zz($){if(!$||$.length===0)return[];let Z=[];for(let Q of $){let W=Tz(Q);if(W)Z.push(W)}return Z}function Tz($){let Z=$.trim();if(!Z)return;let Q=Z.match(/^data:([^;,]+)... L4: `),J}finally{X5.delete($.lockDir),ST($)}}function U1($,Z,Q={}){let W=bT($,Q);return WV(W,$,Z)}async function Y5($,Z,Q={}){let W=await yT($,Q);return WV(W,$,Z)}function hT($){let Z=... L5: <html lang="en">
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/index.jsView on unpkg · L3
1import{createRequire as NA}from"node:module";var MA=Object.defineProperty;var RA=($)=>$;function EA($,Z){this[$]=RA.bind(null,Z)}var n9=($,Z)=>{for(var Q in Z)MA($,Q,{get:Z[Q],enum... L2: `,"utf8"),hU()}function vZ(){return D0().telemetryOptOut}function gU($,Z={}){G1({...D0(),telemetryOptOut:$},Z)}function mU(){return D0().autoUpdateEnabled}function vU($,Z={}){G1({.... L3: `)}function zz($){if(!$||$.length===0)return[];let Z=[];for(let Q of $){let W=Tz(Q);if(W)Z.push(W)}return Z}function Tz($){let Z=$.trim();if(!Z)return;let Q=Z.match(/^data:([^;,]+)... L4: `),J}finally{X5.delete($.lockDir),ST($)}}function U1($,Z,Q={}){let W=bT($,Q);return WV(W,$,Z)}async function Y5($,Z,Q={}){let W=await yT($,Q);return WV(W,$,Z)}function hT($){let Z=... L5: <html lang="en"> ... L44: </body> L45: </html>`;function OJ($){let Z="";for(let Q=0;Q<$.length;Q+=1)Z+=String.fromCharCode($[Q]??0);return btoa(Z).replace(/\+/g,"-").replace(/\//g,"_").replace(/=+$/g,"")}async function ... L46: `)}}var tZ=ED();function eZ($,Z,Q){if(typeof $==="number"&&$>0)return $;if(Q){let W=process.env[Q];if(W){let J=Number(W);if(Number.isInteger(J)&&J>0)return J}}return Z}async functi...
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/index.jsView on unpkg · L1

Findings

2 Critical4 High4 Medium7 Low
CriticalCredential Exfiltrationdist/index.js
CriticalTrigger Reachable Dangerous Capabilitydist/index.js
HighChild Processdist/index.js
HighShelldist/index.js
HighSame File Env Network Executiondist/index.js
HighCommand Output Exfiltrationdist/index.js
MediumDynamic Requiredist/index.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowWeak Cryptodist/index.js
LowFilesystem
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings
LowNo License