registry  /  @cloudgrid-io/cli  /  0.13.0

@cloudgrid-io/cli@0.13.0

⚠ Under review

The CloudGrid CLI — put your apps and agents on the grid.

Static Scan Results

scanned 4d ago · by rust-scanner

Static analysis flagged 15 finding(s) at 86.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 8 file(s), 596 KB of source, external domains: api.cloudgrid.io, api.example.com, claude.ai, code.claude.com, console.cloudgrid.io, github.com, registry.npmjs.org

Source & flagged code

6 flagged · loading source
dist/index.jsView file
34let dir = dirname(fileURLToPath(import.meta.url)); L35: while (!existsSync(join(dir, "package.json"))) { L36: const parent = dirname(dir); ... L52: // src/utils.ts L53: import { execa } from "execa"; L54: import chalk from "chalk"; ... L90: V2ApiError: () => V2ApiError, L91: exitCodeFor: () => exitCodeFor, L92: parseErrorBody: () => parseErrorBody L93: }); ... L250: try { L251: const pkg2 = JSON.parse(readFileSync(candidate, "utf-8"));
Critical
Credential Exfiltration

Source appears to send environment or credential material to an external endpoint.

dist/index.jsView on unpkg · L34
34Trigger-reachable chain: manifest.bin -> dist/index.js L34: let dir = dirname(fileURLToPath(import.meta.url)); L35: while (!existsSync(join(dir, "package.json"))) { L36: const parent = dirname(dir); ... L52: // src/utils.ts L53: import { execa } from "execa"; L54: import chalk from "chalk"; ... L90: V2ApiError: () => V2ApiError, L91: exitCodeFor: () => exitCodeFor, L92: parseErrorBody: () => parseErrorBody L93: }); ... L250: try { L251: const pkg2 = JSON.parse(readFileSync(candidate, "utf-8"));
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/index.jsView on unpkg · L34
2327import { Command as Command4 } from "commander"; L2328: import { execSync } from "child_process"; L2329: import { existsSync as existsSync21, mkdirSync as mkdirSync10, readdirSync as readdirSync3, writeFileSync as writeFileSync13, rmSync as rmSync3 } from "fs";
High
Child Process

Package source references child process execution.

dist/index.jsView on unpkg · L2327
52// src/utils.ts L53: import { execa } from "execa"; L54: import chalk from "chalk";
High
Shell

Package source references shell execution.

dist/index.jsView on unpkg · L52
16680if (!existsSync33(path)) { L16681: process.stderr.write(`Error: completion script not found at ${path}. Reinstall the CLI. L16682: `); ... L16691: import { Command as Command73 } from "commander"; L16692: import { execSync as execSync3 } from "child_process"; L16693: import * as net3 from "net"; L16694: import chalk8 from "chalk";
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/index.jsView on unpkg · L16680
completions/cloudgrid.fishView file
path = completions/cloudgrid.fish kind = build_helper sizeBytes = 2405 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

completions/cloudgrid.fishView on unpkg

Findings

2 Critical3 High4 Medium6 Low
CriticalCredential Exfiltrationdist/index.js
CriticalTrigger Reachable Dangerous Capabilitydist/index.js
HighChild Processdist/index.js
HighShelldist/index.js
HighCommand Output Exfiltrationdist/index.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helpercompletions/cloudgrid.fish
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License