registry  /  @excellent-so/screen-map  /  0.2.1

@excellent-so/screen-map@0.2.1

The map of your running app. One command screenshots every route, graphs how they connect, and finds the screens your nav forgot.

Static Scan Results

scanned 3h ago · by rust-scanner

Static analysis flagged 12 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 24 file(s), 140 KB of source, external domains: api.github.com, github.com, www.google.com

Source & flagged code

4 flagged · loading source
src/chrome.mjsView file
16import path from "node:path"; L17: import { execFileSync } from "node:child_process"; L18:
High
Child Process

Package source references child process execution.

src/chrome.mjsView on unpkg · L16
16import path from "node:path"; L17: import { execFileSync } from "node:child_process"; L18: L19: export const CACHE_DIR = path.join(os.homedir(), ".cache", "screen-map"); L20: ... L22: function knownPaths() { L23: const plt = process.platform; L24: if (plt === "darwin") { ... L34: if (plt === "win32") { L35: const pf = process.env["PROGRAMFILES"] || "C:\\Program Files"; L36: const pf86 = process.env["PROGRAMFILES(X86)"] || "C:\\Program Files (x86)"; ... L131: "Fix it one of these ways:",
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

src/chrome.mjsView on unpkg · L16
src/config.mjsView file
88// ESM/CJS config: import as a module and take the default export (or the module). L89: const mod = await import(pathToFileURL(file).href); L90: return mod.default ?? mod;
Medium
Dynamic Require

Package source references dynamic require/import behavior.

src/config.mjsView on unpkg · L88
src/server.mjsView file
113const port = cfg.port > 0 ? cfg.port : await pickPort(cfg.portBase); L114: const base = `http://localhost:${port}`; L115: L116: const childEnv = { L117: ...process.env, L118: ...cfg.env, ... L126: const pre = Array.isArray(cfg.prepare) ? cfg.prepare : String(cfg.prepare).trim().split(/\s+/); L127: const r = spawnSync(pre[0], pre.slice(1), { cwd, env: childEnv, stdio: "inherit" }); L128: if (r.status !== 0) throw new Error(`managed server: prepare step failed (exit ${r.status})`);
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

src/server.mjsView on unpkg · L113

Findings

4 High4 Medium4 Low
HighChild Processsrc/chrome.mjs
HighShell
HighSame File Env Network Executionsrc/server.mjs
HighSandbox Evasion Gated Capabilitysrc/chrome.mjs
MediumDynamic Requiresrc/config.mjs
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings