registry  /  @codemarc/blt  /  1.10.6

@codemarc/blt@1.10.6

blt cli

Static Scan Results

scanned 3d ago · by rust-scanner

Static analysis flagged 12 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 111 file(s), 398 KB of source, external domains: api.digitalocean.com, bltcore-com.github.io, claude.com, cli.github.com, github.com, supabase.com

Source & flagged code

3 flagged · loading source
dist/lib/github.jsView file
1import { spawnSync } from "node:child_process"; L2: export function ensureGhInstalled(logger) {
High
Child Process

Package source references child process execution.

dist/lib/github.jsView on unpkg · L1
dist/lib/digitalocean.jsView file
4import { homedir } from "node:os"; L5: const DO_API = "https://api.digitalocean.com/v2"; L6: function readDoctlToken() { L7: const configPath = process.platform === "darwin" L8: ? join(homedir(), "Library", "Application Support", "doctl", "config.yaml") L9: : join(homedir(), ".config", "doctl", "config.yaml"); ... L19: function getToken() { L20: const token = process.env.DIGITALOCEAN_ACCESS_TOKEN ?? L21: process.env.DIGITALOCEAN_TOKEN ?? ... L39: return undefined; L40: const body = await res.text(); L41: if (!res.ok) {
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/lib/digitalocean.jsView on unpkg · L4
dist/commands/deploy/functions.jsView file
32try { L33: const version = exec("bunx supabase --version", { silent: true, cwd }); L34: logger.info(`Supabase CLI found: ${version?.trim() ?? "unknown"}`);
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/commands/deploy/functions.jsView on unpkg · L32

Findings

4 High3 Medium5 Low
HighChild Processdist/lib/github.js
HighShell
HighSandbox Evasion Gated Capabilitydist/lib/digitalocean.js
HighRuntime Package Installdist/commands/deploy/functions.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings