registry  /  @elaraai/create-east  /  1.0.28

@elaraai/create-east@1.0.28

Scaffold a new East project (AGPL-3.0, Node-only): npm create @elaraai/east

Static Scan Results

scanned 4d ago · by rust-scanner

Static analysis flagged 9 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessFilesystemShell
Supply chain
UrlStrings
Manifest
CopyleftLicense
scanned 5 file(s), 15.7 KB of source, external domains: docs.astral.sh

Source & flagged code

3 flagged · loading source
dist/index.jsView file
5import { join, relative } from "node:path"; L6: import { spawnSync } from "node:child_process"; L7:
High
Child Process

Package source references child process execution.

dist/index.jsView on unpkg · L5
5import { join, relative } from "node:path"; L6: import { spawnSync } from "node:child_process"; L7: ... L58: function transformPackageJson(raw, names, version, manifest, enabled) { L59: const pkg = JSON.parse(raw); L60: pkg.name = `@elaraai/${names.projectName}`; ... L62: pkg.version = "0.0.1"; L63: delete pkg.private; L64: if (manifest) { ... L126: const { kind, name, templateDir, version } = options; L127: const cwd = options.cwd ?? process.cwd(); L128: const log = options.log ?? ((m) => console.log(m));
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/index.jsView on unpkg · L5
201const probe = process.platform === "win32" ? "where" : "which"; L202: return spawnSync(probe, [cmd], { stdio: "ignore" }).status === 0; L203: } ... L207: if (npm.status !== 0) { L208: log("npm install failed \u2014 fix the issue and re-run `npm install`."); L209: return;
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/index.jsView on unpkg · L201

Findings

4 High1 Medium4 Low
HighChild Processdist/index.js
HighShell
HighSandbox Evasion Gated Capabilitydist/index.js
HighRuntime Package Installdist/index.js
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowUrl Strings
LowCopyleft License