registry  /  @code.india/cli  /  0.1.1

@code.india/cli@0.1.1

code.in CLI — sovereign coding for India: keyless OAuth, durable memory, DPDP data-residency, with the code.in engine.

Static Scan Results

scanned 13h ago · by rust-scanner

Static analysis flagged 15 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsObfuscatedUrlStrings
Manifest
NoLicenseWildcardDependency
scanned 13 file(s), 7.13 MB of source, external domains: 127.0.0.1, api.code.in, api.openai.com, code-ae-api.onrender.com, github.com, help.openai.com, json-schema.org, registry.npmjs.org

Source & flagged code

6 flagged · loading source
dist/plugin/auth.jsView file
19306import { promises as fs } from "node:fs"; L19307: import { spawnSync } from "node:child_process"; L19308: import { dirname } from "node:path";
High
Child Process

Package source references child process execution.

dist/plugin/auth.jsView on unpkg · L19306
19379function ps(script, input) { L19380: const res = run("powershell", ["-NoProfile", "-NonInteractive", "-Command", script], input); L19381: if (!res.ok) throw new Error(`credential vault (dpapi) failed: ${res.stderr.trim() || "nonzero exit"}`);
High
Shell

Package source references shell execution.

dist/plugin/auth.jsView on unpkg · L19379
19306import { promises as fs } from "node:fs"; L19307: import { spawnSync } from "node:child_process"; L19308: import { dirname } from "node:path"; ... L19311: var import_agent_runtime = __toESM(require_dist(), 1); L19312: var API_BASE = process.env["CODE_AE_API_BASE"] ?? import_agent_runtime.FLAVOR.gatewayApiBase; L19313: var WEB_BASE = process.env["CODE_AE_WEB_BASE"] ?? `https://${import_agent_runtime.FLAVOR.appDomain}`; L19314: function credentialsPath() {
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/plugin/auth.jsView on unpkg · L19306
223Cross-file remote execution chain: dist/plugin/auth.js spawns dist/plugin/floor.js; helper contains network access plus dynamic code execution. L223: for (let i = 0; i < segment.length; ++i) { L224: let c = segment.charCodeAt(i); L225: if (c === 45 || // - ... L632: Object.defineProperty(exports, "__esModule", { value: true }); L633: exports.setShims = exports.isFsReadStream = exports.fileFromPath = exports.getDefaultAgent = exports.getMultipartRequestOptions = exports.ReadableStream = exports.File = exports.Bl... L634: exports.auto = false; ... L2162: } L2163: get hostname() { L2164: if (this._url.host === null) { ... L2406: }, L2407: create(constructorArgs, privateData) { L2408: let obj = Object.create(URL2.prototype);
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/plugin/auth.jsView on unpkg · L223
dist/plugin/floor.jsView file
858"use strict"; L859: var punycode = __require("punycode"); L860: var mappingTable = require_mappingTable();
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/plugin/floor.jsView on unpkg · L858
dist/index.jsView file
1426function cannotHaveAUsernamePasswordPort(url) { L1427: return url.host === null || url.host === "" || url.cannotBeABaseURL || url.scheme === "file"; L1428: } ... L19329: import { promises as fs } from "node:fs"; L19330: import { spawnSync } from "node:child_process"; L19331: import { dirname } from "node:path"; ... L19831: try { L19832: const pkg = JSON.parse(readFileSync(resolve(dirname3(enginePath), "package.json"), "utf8")); L19833: if (pkg.engineVersion && pkg.engineVersion !== EXPECTED_OPENCODE_VERSION) {
High
Remote Agent Bridge

Source exposes local file and command tools to a remote model endpoint.

dist/index.jsView on unpkg · L1426

Findings

5 High5 Medium5 Low
HighChild Processdist/plugin/auth.js
HighShelldist/plugin/auth.js
HighSame File Env Network Executiondist/plugin/auth.js
HighRemote Agent Bridgedist/index.js
HighCross File Remote Execution Contextdist/plugin/auth.js
MediumDynamic Requiredist/plugin/floor.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
MediumWildcard Dependency
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings
LowNo License