registry  /  @explorer02/cfm-survey-sdk  /  0.2.3

@explorer02/cfm-survey-sdk@0.2.3

Static Scan Results

scanned 3d ago · by rust-scanner

Static analysis flagged 15 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
Manifest
NoLicense
scanned 11 file(s), 237 KB of source, external domains: custom-p0.feedbook.me, nodejs.org, raw.githubusercontent.com

Source & flagged code

6 flagged · loading source
package.jsonView file
scripts.postinstall = node postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
dist/cli/index.jsView file
1#!/usr/bin/env node L2: "use strict";var B=Object.create;var N=Object.defineProperty;var W=Object.getOwnPropertyDescriptor;var z=Object.getOwnPropertyNames;var K=Object.getPrototypeOf,Q=Object.prototype.h... L3: `);let n=await y("Would you like to install/upgrade Node.js v18+ automatically? (y/N): ");n.toLowerCase()==="y"||n.toLowerCase()==="yes"||(console.log(`
High
Child Process

Package source references child process execution.

dist/cli/index.jsView on unpkg · L1
10`),process.exit(1))):(console.log(` L11: \u274C ${e.red}winget package manager is not installed on this system.${e.reset}`),console.log(`${e.bold}\u{1F449} To proceed, please either:${e.reset}`),console.log(" 1. Install... L12: `),process.exit(1)):s?f("brew")?(console.log(` ... L17: `),process.exit(1))):(console.log(` L18: \u274C ${e.red}Homebrew package manager (brew) is not installed on this system.${e.reset}`),console.log(`${e.bold}\u{1F449} To proceed, please either:${e.reset}`),console.log(" 1... L19: `),process.exit(1)):(console.log(` ... L24: \u26A0\uFE0F ${e.yellow}Global installation failed or permissions restricted.${e.reset}`),console.log(`\u2139 ${e.dim}Falling back: Running Vercel dynamically via npx.${e.reset}`)... L25: ${e.dim}Step 3/4: Checking Vercel Login...${e.reset}`);let n=!!process.env.VERCEL_TOKEN,t=!1;if(n)console.log(`\u2714 ${e.green}VERCEL_TOKEN environment variable detected. Skipping... L26: \u2714 ${e.green}Logged in successfully!${e.reset}`)}return n}async function A(o,n){console.log(`
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/cli/index.jsView on unpkg · L10
17`),process.exit(1))):(console.log(` L18: \u274C ${e.red}Homebrew package manager (brew) is not installed on this system.${e.reset}`),console.log(`${e.bold}\u{1F449} To proceed, please either:${e.reset}`),console.log(" 1... L19: `),process.exit(1)):(console.log(` ... L22: ${e.dim}Step 2/4: Checking Vercel CLI...${e.reset}`);let o="vercel",n=!1;if(f("vercel"))console.log(`\u2714 ${e.green}Vercel CLI is installed!${e.reset}`);else{console.log(`\u2753 ... L23: \u{1F4E5} ${e.cyan}Installing Vercel CLI globally... (npm install -g vercel)${e.reset}`),w("npm",["install","-g","vercel"])&&f("vercel")?console.log(`\u2714 ${e.green}Vercel CLI in... L24: \u26A0\uFE0F ${e.yellow}Global installation failed or permissions restricted.${e.reset}`),console.log(`\u2139 ${e.dim}Falling back: Running Vercel dynamically via npx.${e.reset}`)...
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/cli/index.jsView on unpkg · L17
templates/docs/templates/verify-agent-build.shView file
path = templates/docs/templates/verify-agent-build.sh kind = build_helper sizeBytes = 3194 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

templates/docs/templates/verify-agent-build.shView on unpkg

Findings

4 High5 Medium6 Low
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processdist/cli/index.js
HighSame File Env Network Executiondist/cli/index.js
HighRuntime Package Installdist/cli/index.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helpertemplates/docs/templates/verify-agent-build.sh
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings
LowNo License