registry  /  @comate/comatecli  /  1.0.3

@comate/comatecli@1.0.3

Comate of Terminal —— 交互式终端 AI 编码助手

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 20 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 7 file(s), 2.66 MB of source, external domains: ghproxy.net, github.com, react.dev
Oversized source lightweight scan
comate-engine/server.js9.07 MB file, sampled 256 KB
FilesystemEnvironmentVarsCryptoHighEntropyStringsMinified
dist/zulu/index.js3.97 MB file, sampled 256 KB
FilesystemChildProcessEnvironmentVarsCryptoObfuscatedHighEntropyStringsMinified

Source & flagged code

12 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
comate-engine/assets/skills/ku-doc-manage/references/export_sheet.mdView file
29patternName = supabase_service_key severity = critical line = 29 matchedText = "downloa...=1",
Critical
Critical Secret

Package contains a critical-looking secret pattern.

comate-engine/assets/skills/ku-doc-manage/references/export_sheet.mdView on unpkg · L29
29patternName = supabase_service_key severity = critical line = 29 matchedText = "downloa...=1",
Critical
Secret Pattern

Supabase service role key (JWT) in comate-engine/assets/skills/ku-doc-manage/references/export_sheet.md

comate-engine/assets/skills/ku-doc-manage/references/export_sheet.mdView on unpkg · L29
dist/index.jsView file
1import{fileURLToPath as e}from"url";import{dirname as t}from"path";t(e(import.meta.url));import n from"events";import r from"https";import i from"http";import a from"net";import o ... L2: /**
High
Child Process

Package source references child process execution.

dist/index.jsView on unpkg · L1
1import{fileURLToPath as e}from"url";import{dirname as t}from"path";t(e(import.meta.url));import n from"events";import r from"https";import i from"http";import a from"net";import o ... L2: /** ... L9: * LICENSE file in the root directory of this source tree. L10: */"production"===process.env.NODE_ENV?q.exports=function(){if(W)return $;W=1;var e=Symbol.for("react.transitional.element"),t=Symbol.for("react.portal"),n=Symbol.for("react.fragmen... L11: /**
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/index.jsView on unpkg · L1
45* LICENSE file in the root directory of this source tree. L46: */"production"===process.env.NODE_ENV?$t.exports=(nn||(nn=1,function(e){e.exports=function(e){function t(e,t,n,r){return new Gi(e,t,n,r)}function n(){}function r(e){var t="https://... L47: /** ... L54: * LICENSE file in the root directory of this source tree. L55: */"production"===process.env.NODE_ENV?fu.exports=function(){if(Eu)return hu;Eu=1;var e=Symbol.for("react.transitional.element"),t=Symbol.for("react.fragment");function n(t,n,r){var...
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/index.jsView on unpkg · L45
scripts/postinstall.jsView file
224const findCmd = isWindows L225: ? `powershell -Command "Get-ChildItem -Path '${searchDir}' -Filter 'rg.exe' -Recurse ` L226: + '| Select-Object -First 1 -ExpandProperty FullName"'
High
Shell

Package source references shell execution.

scripts/postinstall.jsView on unpkg · L224
bin/zulu-tui.mjsView file
62({FixtureZuluSession, MockLoginController, MockZuluSession, renderChatApp, renderGallery, renderM13Demo, withRecording} L63: = await import('../dist/index.js')); L64: }
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/zulu-tui.mjsView on unpkg · L62
comate-engine/assets/skills/icode/scripts/common.shView file
path = comate-[redacted].sh kind = build_helper sizeBytes = 3826 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

comate-engine/assets/skills/icode/scripts/common.shView on unpkg
dist/zulu/index.jsView file
path = dist/zulu/index.js kind = oversized_source_file sizeBytes = 4158915 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/zulu/index.jsView on unpkg
comate-engine/assets/skills/code-security/references/vul_repair_sensitive.mdView file
384patternName = generic_password severity = medium line = 384 matchedText = std::str...xx";
Medium
Secret Pattern

Hardcoded password in comate-engine/assets/skills/code-security/references/vul_repair_sensitive.md

comate-engine/assets/skills/code-security/references/vul_repair_sensitive.mdView on unpkg · L384

Findings

2 Critical6 High7 Medium5 Low
CriticalCritical Secretcomate-engine/assets/skills/ku-doc-manage/references/export_sheet.md
CriticalSecret Patterncomate-engine/assets/skills/ku-doc-manage/references/export_sheet.md
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processdist/index.js
HighShellscripts/postinstall.js
HighSame File Env Network Executiondist/index.js
HighCommand Output Exfiltrationdist/index.js
HighOversized Source Filedist/zulu/index.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requirebin/zulu-tui.mjs
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helpercomate-engine/assets/skills/icode/scripts/common.sh
MediumStructural Risk Force Deep Review
MediumSecret Patterncomate-engine/assets/skills/code-security/references/vul_repair_sensitive.md
LowScripts Present
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings