registry  /  @floggy/cli  /  0.3.0

@floggy/cli@0.3.0

Floggy CLI - headless access to your blog, notes, tasks, and analytics

Static Scan Results

scanned 3h ago · by rust-scanner

Static analysis flagged 19 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedObfuscatedTelemetryUrlStrings
Manifest
WildcardDependency
scanned 1 file(s), 1.48 MB of source, external domains: floggy-api.pehcastro.workers.dev, github.com, prosemirror.net, registry.npmjs.org, www.w3.org

Source & flagged code

7 flagged · loading source
dist/floggy.jsView file
170patternName = private_key_rsa severity = critical line = 170 matchedText = -----END...----
Critical
Critical Secret

Package contains a critical-looking secret pattern.

dist/floggy.jsView on unpkg · L170
170patternName = private_key_rsa severity = critical line = 170 matchedText = -----END...----
Critical
Secret Pattern

RSA private key in dist/floggy.js

dist/floggy.jsView on unpkg · L170
10(Did you mean one of ${z.join(", ")}?)`;if(z.length===1)return` L11: (Did you mean ${z[0]}?)`;return""}Pk.suggestSimilar=Ok});var wV=_9((Nk)=>{var Ak=D9("node:events").EventEmitter,sF=D9("node:child_process"),I5=D9("node:path"),iF=D9("node:fs"),h9=D... L12: - specify the name in Command constructor or using .name()`);if(Z=Z||{},Z.isDefault)this._defaultCommandName=J._name;if(Z.noHelp||Z.hidden)J._hidden=!0;return this._registerCommand...
High
Child Process

Package source references child process execution.

dist/floggy.jsView on unpkg · L10
13Expecting one of '${Q.join("', '")}'`);if(this._lifeCycleHooks[J])this._lifeCycleHooks[J].push(Z);else this._lifeCycleHooks[J]=[Z];return this}exitOverride(J){if(J)this._exitCallba... L14: - already used by option '${Z.flags}'`)}this.options.push(J)}_registerCommand(J){let Z=(z)=>{return[z.name()].concat(z.aliases())},Q=Z(J).find((z)=>this._findCommand(z));if(Q){let... L15: - if '${J._name}' is not meant to be an executable command, remove description parameter from '.command()' and use '.description()' instead
High
Shell

Package source references shell execution.

dist/floggy.jsView on unpkg · L13
10(Did you mean one of ${z.join(", ")}?)`;if(z.length===1)return` L11: (Did you mean ${z[0]}?)`;return""}Pk.suggestSimilar=Ok});var wV=_9((Nk)=>{var Ak=D9("node:events").EventEmitter,sF=D9("node:child_process"),I5=D9("node:path"),iF=D9("node:fs"),h9=D... L12: - specify the name in Command constructor or using .name()`);if(Z=Z||{},Z.isDefault)this._defaultCommandName=J._name;if(Z.noHelp||Z.hidden)J._hidden=!0;return this._registerCommand... ... L22: Expecting one of '${Q.join("', '")}'`);let z=`${J}Help`;return this.on(z,(Y)=>{let X;if(typeof Z==="function")X=Z({error:Y.error,command:Y.command});else X=Z;if(X)Y.write(`${X} L23: `)}),this}_outputHelpIfRequested(J){let Z=this._getHelpOption();if(Z&&J.find((z)=>Z.is(z)))this.outputHelp(),this._exit(0,"commander.helpDisplayed","(outputHelp)")}}function fV(J){... L24: `)),process.exit(1)}if(q.status===401)process.stderr.write(A.red("key invalid or revoked, run `floggy login`\n")),process.exit(1);if(q.status===403){let $;try{$=await q.json()}catc...
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/floggy.jsView on unpkg · L10
10(Did you mean one of ${z.join(", ")}?)`;if(z.length===1)return` L11: (Did you mean ${z[0]}?)`;return""}Pk.suggestSimilar=Ok});var wV=_9((Nk)=>{var Ak=D9("node:events").EventEmitter,sF=D9("node:child_process"),I5=D9("node:path"),iF=D9("node:fs"),h9=D... L12: - specify the name in Command constructor or using .name()`);if(Z=Z||{},Z.isDefault)this._defaultCommandName=J._name;if(Z.noHelp||Z.hidden)J._hidden=!0;return this._registerCommand... ... L22: Expecting one of '${Q.join("', '")}'`);let z=`${J}Help`;return this.on(z,(Y)=>{let X;if(typeof Z==="function")X=Z({error:Y.error,command:Y.command});else X=Z;if(X)Y.write(`${X} L23: `)}),this}_outputHelpIfRequested(J){let Z=this._getHelpOption();if(Z&&J.find((z)=>Z.is(z)))this.outputHelp(),this._exit(0,"commander.helpDisplayed","(outputHelp)")}}function fV(J){... L24: `)),process.exit(1)}if(q.status===401)process.stderr.write(A.red("key invalid or revoked, run `floggy login`\n")),process.exit(1);if(q.status===403){let $;try{$=await q.json()}catc...
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/floggy.jsView on unpkg · L10
1#!/usr/bin/env node L2: import{createRequire as eR}from"node:module";var nR=Object.create;var{getPrototypeOf:rR,defineProperty:mF,getOwnPropertyNames:oR}=Object;var tR=Object.prototype.hasOwnProperty;var ... L3: `).replace(/^/gm," ".repeat(2))}let W=[`Usage: ${Z.commandUsage(J)}`,""],$=Z.commandDescription(J);if($.length>0)W=W.concat([Z.wrap($,z,0),""]);let B=Z.visibleArguments(J).map((U)=... ... L10: (Did you mean one of ${z.join(", ")}?)`;if(z.length===1)return` L11: (Did you mean ${z[0]}?)`;return""}Pk.suggestSimilar=Ok});var wV=_9((Nk)=>{var Ak=D9("node:events").EventEmitter,sF=D9("node:child_process"),I5=D9("node:path"),iF=D9("node:fs"),h9=D... L12: - specify the name in Command constructor or using .name()`);if(Z=Z||{},Z.isDefault)this._defaultCommandName=J._name;if(Z.noHelp||Z.hidden)J._hidden=!0;return this._registerCommand... ... L22: Expecting one of '${Q.join("', '")}'`);let z=`${J}Help`;return this.on(z,(Y)=>{let X;if(typeof Z==="function")X=Z({error:Y.error,command:Y.command});else X=Z;if(X)Y.write(`${X} L23: `)}),this}_outputHelpIfRequested(J){let Z=this._getHelpOption();if(Z&&J.find((z)=>Z.is(z)))this.outputHelp(),this._exit(0,"commander.helpDisplayed","(outputHe
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/floggy.jsView on unpkg · L1

Findings

2 Critical4 High4 Medium9 Low
CriticalCritical Secretdist/floggy.js
CriticalSecret Patterndist/floggy.js
HighChild Processdist/floggy.js
HighShelldist/floggy.js
HighSame File Env Network Executiondist/floggy.js
HighCommand Output Exfiltrationdist/floggy.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
MediumWildcard Dependency
LowNon Install Lifecycle Scripts
LowScripts Present
LowEval
LowWeak Cryptodist/floggy.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings