registry  /  @explorer02/cfm-survey-sdk  /  0.2.2

@explorer02/cfm-survey-sdk@0.2.2

Static Scan Results

scanned 3d ago · by rust-scanner

Static analysis flagged 15 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
Manifest
NoLicense
scanned 7 file(s), 211 KB of source, external domains: custom-p0.feedbook.me, nodejs.org, raw.githubusercontent.com

Source & flagged code

6 flagged · loading source
package.jsonView file
scripts.postinstall = node postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
dist/cli/index.jsView file
1#!/usr/bin/env node L2: "use strict";var B=Object.create;var N=Object.defineProperty;var W=Object.getOwnPropertyDescriptor;var z=Object.getOwnPropertyNames;var K=Object.getPrototypeOf,Q=Object.prototype.h... L3: `);let n=await y("Would you like to install/upgrade Node.js v18+ automatically? (y/N): ");n.toLowerCase()==="y"||n.toLowerCase()==="yes"||(console.log(`
High
Child Process

Package source references child process execution.

dist/cli/index.jsView on unpkg · L1
10`),process.exit(1))):(console.log(` L11: \u274C ${e.red}winget package manager is not installed on this system.${e.reset}`),console.log(`${e.bold}\u{1F449} To proceed, please either:${e.reset}`),console.log(" 1. Install... L12: `),process.exit(1)):s?f("brew")?(console.log(` ... L17: `),process.exit(1))):(console.log(` L18: \u274C ${e.red}Homebrew package manager (brew) is not installed on this system.${e.reset}`),console.log(`${e.bold}\u{1F449} To proceed, please either:${e.reset}`),console.log(" 1... L19: `),process.exit(1)):(console.log(` ... L24: \u26A0\uFE0F ${e.yellow}Global installation failed or permissions restricted.${e.reset}`),console.log(`\u2139 ${e.dim}Falling back: Running Vercel dynamically via npx.${e.reset}`)... L25: ${e.dim}Step 3/4: Checking Vercel Login...${e.reset}`);let n=!!process.env.VERCEL_TOKEN,t=!1;if(n)console.log(`\u2714 ${e.green}VERCEL_TOKEN environment variable detected. Skipping... L26: \u2714 ${e.green}Logged in successfully!${e.reset}`)}return n}async function A(o,n){console.log(`
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/cli/index.jsView on unpkg · L10
17`),process.exit(1))):(console.log(` L18: \u274C ${e.red}Homebrew package manager (brew) is not installed on this system.${e.reset}`),console.log(`${e.bold}\u{1F449} To proceed, please either:${e.reset}`),console.log(" 1... L19: `),process.exit(1)):(console.log(` ... L22: ${e.dim}Step 2/4: Checking Vercel CLI...${e.reset}`);let o="vercel",n=!1;if(f("vercel"))console.log(`\u2714 ${e.green}Vercel CLI is installed!${e.reset}`);else{console.log(`\u2753 ... L23: \u{1F4E5} ${e.cyan}Installing Vercel CLI globally... (npm install -g vercel)${e.reset}`),w("npm",["install","-g","vercel"])&&f("vercel")?console.log(`\u2714 ${e.green}Vercel CLI in... L24: \u26A0\uFE0F ${e.yellow}Global installation failed or permissions restricted.${e.reset}`),console.log(`\u2139 ${e.dim}Falling back: Running Vercel dynamically via npx.${e.reset}`)...
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/cli/index.jsView on unpkg · L17
templates/docs/templates/verify-agent-build.shView file
path = templates/docs/templates/verify-agent-build.sh kind = build_helper sizeBytes = 1791 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

templates/docs/templates/verify-agent-build.shView on unpkg

Findings

4 High5 Medium6 Low
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processdist/cli/index.js
HighSame File Env Network Executiondist/cli/index.js
HighRuntime Package Installdist/cli/index.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helpertemplates/docs/templates/verify-agent-build.sh
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings
LowNo License