registry  /  @dashclaw/cli  /  0.6.0

@dashclaw/cli@0.6.0

DashClaw terminal client — approve agent actions and diagnose your instance

Static Scan Results

scanned 17h ago · by rust-scanner

Static analysis flagged 10 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 24 file(s), 215 KB of source, external domains: codeload.github.com, github.com, hosted.dashclaw.io, registry.npmjs.org, your-dashclaw.vercel.app, your.vercel.app

Source & flagged code

3 flagged · loading source
bin/dashclaw.jsView file
2L3: import { execFileSync } from 'child_process'; L4: import { readFileSync } from 'node:fs';
High
Child Process

Package source references child process execution.

bin/dashclaw.jsView on unpkg · L2
296} else if (platform === 'win32') { L297: // Use PowerShell Start-Process instead of relying on cmd.exe parsing L298: execFileSync('powershell', ['-NoProfile', '-Command', 'Start-Process', url]);
High
Shell

Package source references shell execution.

bin/dashclaw.jsView on unpkg · L296
lib/up/run.jsView file
2// L3: // Build, start, health-wait, and open-browser primitives for `npx dashclaw up`. L4: L5: import { spawn, spawnSync } from 'node:child_process'; L6:
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

lib/up/run.jsView on unpkg · L2

Findings

3 High3 Medium4 Low
HighChild Processbin/dashclaw.js
HighShellbin/dashclaw.js
HighRuntime Package Installlib/up/run.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings