registry  /  @flopod/cli  /  0.11.0

@flopod/cli@0.11.0

The Flopod engine + host package. Despite the `cli` name, it ships two things on top of one shared core:

Static Scan Results

scanned 1d ago · by rust-scanner

Static analysis flagged 13 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 32 file(s), 375 KB of source, external domains: fly.io, github.com

Source & flagged code

5 flagged · loading source
dist/git.jsView file
1import { spawn, spawnSync } from 'child_process'; L2: import { existsSync, readFileSync, writeFileSync, mkdirSync, readdirSync, lstatSync, rmdirSync, unlinkSync } from 'fs';
High
Child Process

Package source references child process execution.

dist/git.jsView on unpkg · L1
737* fast-forwarded; a failed install is a fixable follow-up, not a reason to strand the draft). L738: * `shell: true` is required so Windows can invoke `pnpm.cmd` — Node 20+ refuses to spawn a `.cmd` L739: * directly (EINVAL) without a shell. The args are fixed (no user input), so the DEP0190 shell-arg
High
Shell

Package source references shell execution.

dist/git.jsView on unpkg · L737
1import { spawn, spawnSync } from 'child_process'; L2: import { existsSync, readFileSync, writeFileSync, mkdirSync, readdirSync, lstatSync, rmdirSync, unlinkSync } from 'fs'; ... L9: const r = spawnSync('git', args, { cwd, encoding: 'utf8' }); L10: return { ok: !r.error && r.status === 0, out: ((r.stdout ?? '') + (r.stderr ?? '')).trim() }; L11: } ... L18: */ L19: const DEBUG = !!process.env.FLOPOD_DEBUG; L20: function trace(log, msg) { ... L185: // mount it on a volume). Default: `~/.flopod/worktrees`, out of every flopod's repo tree. L186: const home = process.env.FLOPOD_WORKTREES_HOME || join(homedir(), '.flopod', 'worktrees'); L187: return join(home, key); ... L201: try {
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/git.jsView on unpkg · L1
dist/providers/fly.jsView file
1import { spawnSync } from 'child_process'; L2: import { existsSync, readFileSync, readdirSync } from 'fs'; ... L13: function installHint() { L14: const cmd = process.platform === 'win32' L15: ? 'pwsh -Command "iwr https://fly.io/install.ps1 -useb | iex"' L16: : 'curl -L https://fly.io/install.sh | sh'; ... L35: const ext = process.platform === 'win32' ? '.exe' : ''; L36: candidates.push(join(homedir(), '.fly', 'bin', `flyctl${ext}`)); L37: for (const bin of candidates) { ... L48: } L49: /** Run a Fly command quietly and capture stdout (for probes like whoami/status). */ L50: /** Docker `--build-arg` pairs stamping the image's identity (surfaced under Settings → Version):
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/providers/fly.jsView on unpkg · L1
dist/commands/new.jsView file
43console.log('Installing dependencies (flopod + TS types)...'); L44: execSync('npm install --prefer-offline --no-audit --no-fund', { cwd: dir, stdio: 'inherit' }); L45: }
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/commands/new.jsView on unpkg · L43

Findings

4 High3 Medium6 Low
HighChild Processdist/git.js
HighShelldist/git.js
HighSandbox Evasion Gated Capabilitydist/providers/fly.js
HighRuntime Package Installdist/commands/new.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowWeak Cryptodist/git.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License