registry  /  @elnora-ai/cli  /  2.3.0

@elnora-ai/cli@2.3.0

Elnora AI Platform CLI

Static Scan Results

scanned 3h ago · by rust-scanner

Static analysis flagged 13 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 200 KB of source, external domains: claude.ai, cli.elnora.ai, code.visualstudio.com, cursor.com, docs.elnora.ai, github.com, mcp.elnora.ai, platform.elnora.ai, registry.npmjs.org

Source & flagged code

6 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.mjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.mjs
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
dist/cli.jsView file
2187// src/commands/open.ts L2188: import { exec } from "node:child_process"; L2189: var URLS = {
High
Child Process

Package source references child process execution.

dist/cli.jsView on unpkg · L2187
1331} L1332: const result = await cmd.execute(parsed, ctx); L1333: if (result != null) {
High
Shell

Package source references shell execution.

dist/cli.jsView on unpkg · L1331
32"use strict"; L33: VERSION = true ? "2.3.0" : process.env.npm[redacted] ?? "0.0.0-dev"; L34: PRODUCTION_BASE_URL = "https://platform.elnora.ai/api/v1"; L35: BASE_URL = process.env.ELNORA_API_URL ?? PRODUCTION_BASE_URL; ... L167: } L168: function getExitCode(err) { L169: for (const [ErrorClass, code] of EXIT_CODES) { ... L358: mkdirSync(dir, { recursive: true }); L359: if (process.platform !== "win32") { L360: try { ... L472: init_errors(); L473: CONFIG_DIR = join(homedir(), ".elnora");
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/cli.jsView on unpkg · L32
32Detached bundled service listener: dist/cli.js launches a Node helper and exposes a broad-bound HTTP listener. L32: "use strict"; L33: VERSION = true ? "2.3.0" : process.env.npm[redacted] ?? "0.0.0-dev"; L34: PRODUCTION_BASE_URL = "https://platform.elnora.ai/api/v1"; L35: BASE_URL = process.env.ELNORA_API_URL ?? PRODUCTION_BASE_URL; ... L167: } L168: function getExitCode(err) { L169: for (const [ErrorClass, code] of EXIT_CODES) { ... L358: mkdirSync(dir, { recursive: true }); L359: if (process.platform !== "win32") { L360: try { ... L472: init_errors(); L473: CONFIG_DIR = join(homedir(), ".elnora");
High
Spawned Bundled Service Listener

Source launches a detached bundled service that exposes a broad-bound HTTP listener.

dist/cli.jsView on unpkg · L32

Findings

5 High4 Medium4 Low
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processdist/cli.js
HighShelldist/cli.js
HighSandbox Evasion Gated Capabilitydist/cli.js
HighSpawned Bundled Service Listenerdist/cli.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings