registry  /  @flui-cloud/cli  /  0.8.0

@flui-cloud/cli@0.8.0

Command-line interface for Flui — the open-source platform to deploy applications across cloud providers and your own servers.

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 14 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsEvalFilesystemNetwork
Supply chain
HighEntropyStringsMinifiedUrlStrings
Manifest
CopyleftLicense
scanned 515 file(s), 6.17 MB of source, external domains: 127.0.0.1, 162.55.56.10, acme-staging-v02.api.letsencrypt.org, acme-v02.api.letsencrypt.org, api.contabo.com, api.example.com, api.hetzner.cloud, api.ipify.org, api.scaleway.ai, api.scaleway.com, app.royal-gecko-72.162.55.56.10.nip.io, auth.contabo.com, community.hetzner.com, console.hetzner.cloud, console.scaleway.com, contabo.com, demo.example.com, docs.hetzner.cloud, docs.hetzner.com, example.com, flui.cloud, fsn1.your-objectstorage.com, ghcr.io, github.com, icanhazip.com, ifconfig.me, raw.githubusercontent.com, s3.eu-central-1.amazonaws.com, s3.fr-par.scw.cloud, www.hetzner.com, www.scaleway.com, zitadel.flui-system.svc.cluster.local

Source & flagged code

6 flagged · loading source
lib/cli/src/commands/db/credentials.jsView file
50patternName = generic_password severity = medium line = 50 matchedText = const sh...l)';
Medium
Secret Pattern

Package contains a possible secret pattern.

lib/cli/src/commands/db/credentials.jsView on unpkg · L50
lib/cli/src/lib/byos-precheck.jsView file
3exports.runPrecheck = runPrecheck; L4: const child_process_1 = require("child_process"); L5: const SUPPORTED = [
High
Child Process

Package source references child process execution.

lib/cli/src/lib/byos-precheck.jsView on unpkg · L3
lib/cli/src/commands/auth/reset-password.jsView file
161try { L162: result = await sshService.sshExec(masterIp, `kubectl exec -n default ${podName} -- node -e "eval(Buffer.from('${encoded}','base64').toString())"`); L163: }
Low
Eval

Package source references a known benign dynamic code generation pattern.

lib/cli/src/commands/auth/reset-password.jsView on unpkg · L161
lib/cli/src/services/cli-ssh.service.jsView file
50const os = __importStar(require("node:os")); L51: const node_child_process_1 = require("node:child_process"); L52: const cli_ca_service_1 = require("./cli-ca.service"); ... L65: this.logger = new common_1.Logger(CliSshService_1.name); L66: this.fluiDir = path.join(os.homedir(), '.flui'); L67: this.sshDir = path.join(this.fluiDir, 'ssh'); L68: this.privateKeyPath = path.join(this.sshDir, 'id_rsa'); L69: this.publicKeyPath = path.join(this.sshDir, 'id_rsa.pub'); ... L110: '-C', L111: `flui-cli@${os.hostname()}`, L112: ], { stdio: 'pipe' }); ... L262: if (result.status !== 0) {
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

lib/cli/src/services/cli-ssh.service.jsView on unpkg · L50
lib/cli/src/commands/auth/login.jsView file
39const core_1 = require("@oclif/core"); L40: const http = __importStar(require("node:http")); L41: const crypto = __importStar(require("node:crypto")); L42: const node_child_process_1 = require("node:child_process"); L43: const chalk_1 = __importDefault(require("chalk")); ... L50: // TODO: remove once production TLS certs are in place. L51: process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0'; L52: const LOGIN_TIMEOUT_MS = 120_000;
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

lib/cli/src/commands/auth/login.jsView on unpkg · L39
lib/cli/src/commands/update.jsView file
74this.log(`Installing ${packageName}@${latest}...`); L75: const result = (0, node_child_process_1.spawnSync)('npm', ['install', '-g', `${packageName}@${latest}`], { L76: stdio: 'inherit', ... L79: if (result.status !== 0) { L80: this.error('Update failed. Try running manually: npm install -g ' + packageName); L81: }
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

lib/cli/src/commands/update.jsView on unpkg · L74

Findings

3 High5 Medium6 Low
HighChild Processlib/cli/src/lib/byos-precheck.js
HighSame File Env Network Executionlib/cli/src/commands/auth/login.js
HighRuntime Package Installlib/cli/src/commands/update.js
MediumSecret Patternlib/cli/src/commands/db/credentials.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencelib/cli/src/services/cli-ssh.service.js
MediumStructural Risk Force Deep Review
LowScripts Present
LowEvallib/cli/src/commands/auth/reset-password.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowCopyleft License