registry  /  @finch.app/extensions  /  0.1.5

@finch.app/extensions@0.1.5

CLI shim for installing Finch extensions to the correct location.

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 7 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 22.1 KB of source, external domains: nodejs.org

Source & flagged code

1 flagged · loading source
bin/extensions.mjsView file
13import { homedir, tmpdir } from 'node:os'; L14: import { spawnSync } from 'node:child_process'; L15: import { randomUUID } from 'node:crypto'; ... L19: function finchRuntimeHome() { L20: return process.env.FINCH_RUNTIME_HOME ?? join(homedir(), '.finch'); L21: } ... L53: function readJson(path, fallback) { L54: try { return JSON.parse(readFileSync(path, 'utf-8')); } catch { return fallback; } L55: } ... L78: function readPackageJson(dir) { L79: const file = join(dir, 'package.json'); L80: if (!existsSync(file)) return null;
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

bin/extensions.mjsView on unpkg · L13

Findings

1 High3 Medium3 Low
HighSandbox Evasion Gated Capabilitybin/extensions.mjs
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings