registry  /  @fluid-app/portal-sdk  /  0.1.409

@fluid-app/portal-sdk@0.1.409

⚠ Under review

SDK for building custom Fluid portals

Static Scan Results

scanned 3h ago · by rust-scanner

Static analysis flagged 11 finding(s) at 86.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsTelemetryUrlStrings
Manifest
NoLicense
scanned 605 file(s), 16.4 MB of source, external domains: api.fluid.app, api.fluid.localhost, api.qrserver.com, apps.apple.com, assets.fluid.app, atomiks.github.io, cdn.jsdelivr.net, developer.mozilla.org, docs.github.com, ejemplo.com, example.com, fb.me, flagcdn.com, fluid.app, fonts.googleapis.com, github.com, html.spec.whatwg.org, i.ytimg.com, ik.imagekit.io, images.unsplash.com, international-autocomplete.api.smarty.com, international-street.api.smarty.com, js.verygoodvault.com, maps.googleapis.com, motion.dev, my-portal.example.com, mysite.example.com, nodejs.org, pelda.com, play.google.com, player.vimeo.com, prosemirror.net, purecatamphetamine.github.io, radix-ui.com, rolldown.rs, spec.commonmark.org, stackoverflow.com, storage.googleapis.com, tiptap.dev, tools.ietf.org, twitter.com, unsplash.com, us-autocomplete-pro.api.smarty.com, us-enrichment.api.smarty.com, us-extract.api.smarty.com, us-reverse-geo.api.smarty.com, us-street.api.smarty.com, us-zipcode.api.smarty.com, vimeo.com, w3c.github.io
Oversized source lightweight scan
dist/ShareablesScreen-DFmDFuLK.cjs8.02 MB file, sampled 256 KB
HighEntropyStringsTelemetryUrlStringsassets.fluid.appik.imagekit.iowww.w3.org
dist/src-CMer7k-Y.cjs2.27 MB file, sampled 256 KB
HighEntropyStringsUrlStringsradix-ui.comwww.w3.org

Source & flagged code

2 flagged · loading source
dist/dist-Bmw7ZdTO.mjsView file
1654contains invisible/control Unicode U+200B (zero width space) Get the _n_<U+200B>th outgoing edge from this node in the finite
Critical
Trojan Source Unicode

Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

dist/dist-Bmw7ZdTO.mjsView on unpkg · L1654
dist/src-CMer7k-Y.cjsView file
path = dist/src-CMer7k-Y.cjs kind = oversized_source_file sizeBytes = 2376802 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/src-CMer7k-Y.cjsView on unpkg

Findings

1 Critical1 High3 Medium6 Low
CriticalTrojan Source Unicodedist/dist-Bmw7ZdTO.mjs
HighOversized Source Filedist/src-CMer7k-Y.cjs
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings
LowNo License