registry  /  @ctrl-spc/cli  /  1.3.8

@ctrl-spc/cli@1.3.8

CTRL+SPC CLI — per-machine agent for browser login, project linking, presence, and the local MCP server.

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 16 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 29 file(s), 437 KB of source, external domains: 127.0.0.1, ctrl-spc.com, esm.sh, gdioapkjgnlddsutysne.supabase.co, www.ctrl-spc.com

Source & flagged code

8 flagged · loading source
package.jsonView file
scripts.postinstall = node -e "console.log('CTRL+SPC installed. Run: ctrl-spc onboard')"
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node -e "console.log('CTRL+SPC installed. Run: ctrl-spc onboard')"
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
dist/dispatch.jsView file
1import { spawn } from 'node:child_process'; L2: import { statSync } from 'node:fs';
High
Child Process

Package source references child process execution.

dist/dispatch.jsView on unpkg · L1
dist/companion-projects.jsView file
358].join('; '); L359: const { stdout } = await execute('powershell.exe', ['-NoProfile', '-Command', script]); L360: return stdout.trim() || null;
High
Shell

Package source references shell execution.

dist/companion-projects.jsView on unpkg · L358
dist/wake.jsView file
1import { execFileSync } from 'node:child_process'; L2: import { chmodSync, existsSync, mkdirSync, readFileSync, rmSync, writeFileSync } from 'node:fs'; ... L15: export function wakeAgentPlistPath() { L16: return join(homedir(), 'Library', 'LaunchAgents', `${WAKE_LABEL}.plist`); L17: } ... L48: } L49: function defaultLaunchctl(args) { L50: execFileSync('launchctl', args, { stdio: 'ignore' }); ... L92: export function installWakeAgent(deps = {}) { L93: if (process.env.CTRL_SPC_NO_WAKE_AGENT === '1') L94: return false; L95: if (deps.schtasks || (process.platform === 'win32' && !deps.plistPath))
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/wake.jsView on unpkg · L1
dist/companion.jsView file
320function companionUrl(state, onboard) { L321: return `http://127.0.0.1:${state.port}/?token=${encodeURIComponent(state.token)}${onboard ? '&onboard=1' : ''}`; L322: } ... L333: rmSync(statePath(managerKind), { force: true }); L334: const child = spawn(process.execPath, [CLI_ENTRY_PATH, '__companion'], { L335: detached: true, L336: env: { ...process.env, CTRL_SPC_COMPANION_KIND: managerKind }, L337: stdio: 'ignore',
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/companion.jsView on unpkg · L320
1import { spawn } from 'node:child_process'; L2: import { randomBytes } from 'node:crypto'; L3: import { chmodSync, existsSync, mkdirSync, readFileSync, rmSync, writeFileSync } from 'node:fs'; L4: import { createServer } from 'node:http'; L5: import { join } from 'node:path'; ... L27: function companionPort(kind) { L28: return Number(process.env.CTRL_SPC_COMPANION_PORT) || (kind === 'local' ? LOCAL_COMPANION_PORT : NPM_COMPANION_PORT); L29: } ... L34: try { L35: return JSON.parse(readFileSync(statePath(kind), 'utf8')); L36: } ... L47: function openBrowser(url) {
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/companion.jsView on unpkg · L1
matchType = previous_version_dangerous_delta matchedPackage = @ctrl-spc/cli@1.3.7 matchedIdentity = npm:QGN0cmwtc3BjL2NsaQ:1.3.7 similarity = 0.897 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/companion.jsView on unpkg

Findings

6 High5 Medium5 Low
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processdist/dispatch.js
HighShelldist/companion-projects.js
HighSame File Env Network Executiondist/companion.js
HighSandbox Evasion Gated Capabilitydist/companion.js
HighPrevious Version Dangerous Deltadist/companion.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/wake.js
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License