registry  /  @doist/bob-cli  /  2.0.0

@doist/bob-cli@2.0.0

HiBob CLI

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 12 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
UrlStrings
Manifest
NoLicense
scanned 27 file(s), 64.1 KB of source, external domains: api.hibob.com, github.com, registry.npmjs.org

Source & flagged code

4 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
scripts/check-skill-sync.jsView file
17const modulePath = pathToFileURL(join(root, 'dist/lib/skills/create-installer.js')).href L18: const { generateSkillFile } = await import(modulePath) L19: const expected = generateSkillFile()
Medium
Dynamic Require

Package source references dynamic require/import behavior.

scripts/check-skill-sync.jsView on unpkg · L17
dist/commands/update/action.jsView file
1import { spawn } from 'node:child_process'; L2: import chalk from 'chalk'; L3: import packageJson from '../../../package.json' with { type: 'json' }; L4: import { getUpdateChannel } from '../../lib/config.js'; ... L34: async function fetchVersion(channel) { L35: const url = `https://registry.npmjs.org/${PACKAGE_NAME}/${getInstallTag(channel)}`; L36: const response = await fetch(url); ... L39: } L40: const data = (await response.json()); L41: return data.version; ... L43: function detectPackageManager() { L44: const execPath = process.env.npm_execpath || process.argv[1] || '';
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/commands/update/action.jsView on unpkg · L1

Findings

2 High5 Medium5 Low
HighInstall Time Lifecycle Scriptspackage.json
HighSandbox Evasion Gated Capabilitydist/commands/update/action.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requirescripts/check-skill-sync.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowUrl Strings
LowNo License