registry  /  @co0ontty/wand  /  2.4.4

@co0ontty/wand@2.4.4

⚠ Under review

A web terminal for local CLI tools like Claude.

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 17 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 67 file(s), 2.57 MB of source, external domains: github.com, home.huniu.fun, www.apple.com, www.w3.org

Source & flagged code

8 flagged · loading source
dist/config.jsView file
38patternName = generic_password severity = medium line = 38 matchedText = password...me",
Medium
Secret Pattern

Package contains a possible secret pattern.

dist/config.jsView on unpkg · L38
dist/git-utils.jsView file
1import { execFileSync } from "node:child_process"; L2: export function runGit(args, cwd, opts = {}) {
High
Child Process

Package source references child process execution.

dist/git-utils.jsView on unpkg · L1
dist/server.jsView file
39import { isPathWithinBase, isBlockedFolderPath, normalizeFolderPath } from "./middleware/path-safety.js"; L40: const execAsync = promisify(exec); L41: const SERVER_MODULE_DIR = path.dirname(new URL(import.meta.url).pathname);
High
Shell

Package source references shell execution.

dist/server.jsView on unpkg · L39
6Cross-file remote execution chain: dist/server.js spawns dist/web-ui/content/vendor/qrcode/qrcode.bundle.js; helper contains network access plus dynamic code execution. L6: import { lstat, mkdir, readdir, readFile, rename, stat, unlink, writeFile } from "node:fs/promises"; L7: import { createServer as createHttpServer } from "node:http"; L8: import { createServer as createHttpsServer } from "node:https"; L9: import { exec, spawn } from "node:child_process"; L10: import os from "node:os"; ... L43: // ── Package info ── L44: const PKG_JSON = JSON.parse(readFileSync(path.join(RUNTIME_ROOT_DIR, "package.json"), "utf8")); L45: const PKG_NAME = PKG_JSON.name; ... L109: if (asset) L110: return { tagName: release.tag_name, body: release.body, asset }; L111: } ... L361: try {
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/server.jsView on unpkg · L6
6Detached bundled service listener: dist/server.js launches a Node helper and exposes a broad-bound HTTP listener. L6: import { lstat, mkdir, readdir, readFile, rename, stat, unlink, writeFile } from "node:fs/promises"; L7: import { createServer as createHttpServer } from "node:http"; L8: import { createServer as createHttpsServer } from "node:https"; L9: import { exec, spawn } from "node:child_process"; L10: import os from "node:os"; ... L43: // ── Package info ── L44: const PKG_JSON = JSON.parse(readFileSync(path.join(RUNTIME_ROOT_DIR, "package.json"), "utf8")); L45: const PKG_NAME = PKG_JSON.name; ... L109: if (asset) L110: return { tagName: release.tag_name, body: release.body, asset }; L111: } ... L361: try {
High
Spawned Bundled Service Listener

Source launches a detached bundled service that exposes a broad-bound HTTP listener.

dist/server.jsView on unpkg · L6
dist/password-manager.jsView file
1import crypto from "node:crypto"; L2: export const DEFAULT_BROWSER_EXTENSION_BASE_URL = "https://home.huniu.fun:8183"; L3: export const DEFAULT_PASSWORD_VAULT_ID = "personal"; ... L277: if (/^[0-9a-f]+$/i.test(cleaned) && cleaned.length % 2 === 0) { L278: return Buffer.from(cleaned, "hex"); L279: }
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/password-manager.jsView on unpkg · L1
dist/tui/commands.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @co0ontty/wand@2.3.1 matchedIdentity = npm:QGNvMG9udHR5L3dhbmQ:2.3.1 similarity = 0.781 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/tui/commands.jsView on unpkg
4* 所有命令统一返回 CommandResult,UI 层负责把结果渲染到 toast / 弹窗 / 日志。 L5: * 命令本身不直接写 stdout / stderr —— TUI 模式下 stderr 已经被 log-bus 劫持。 L6: */ L7: import { spawn, spawnSync } from "node:child_process"; L8: import { existsSync, mkdirSync, readFileSync, statSync, writeFileSync, unlinkSync } from "node:fs"; ... L38: stdio: "inherit", L39: env: process.env, L40: }); ... L56: const raw = readFileSync(path.resolve(TUI_MODULE_DIR, "..", "build-info.json"), "utf8"); L57: const parsed = JSON.parse(raw); L58: return typeof parsed.channel === "string" ? parsed.channel : null; ... L117: export function openInBrowser(url) {
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/tui/commands.jsView on unpkg · L4

Findings

1 Critical4 High5 Medium7 Low
CriticalPrevious Version Dangerous Deltadist/tui/commands.js
HighChild Processdist/git-utils.js
HighShelldist/server.js
HighCross File Remote Execution Contextdist/server.js
HighSpawned Bundled Service Listenerdist/server.js
MediumSecret Patterndist/config.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/tui/commands.js
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowWeak Cryptodist/password-manager.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings