registry  /  @foresthubai/workflow-cli  /  0.4.5

@foresthubai/workflow-cli@0.4.5

fh-workflow CLI — author, validate, and visually edit Edge Agents workflow JSON. Bundles the visual builder; no other install required.

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 16 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedUrlStrings
Manifest
CopyleftLicenseWildcardDependency
scanned 2 file(s), 2.12 MB of source, external domains: 127.0.0.1, github.com, json-schema.org, radix-ui.com, raw.githubusercontent.com, reactflow.dev, reactjs.org, spec.openapis.org, stackoverflow.com, tools.ietf.org, www.safaribooksonline.com, www.w3.org

Source & flagged code

5 flagged · loading source
dist-cli/cli.jsView file
12757import { fileURLToPath } from "node:url"; L12758: import { spawn } from "node:child_process"; L12759: import { accessSync } from "node:fs";
High
Child Process

Package source references child process execution.

dist-cli/cli.jsView on unpkg · L12757
1232Manifest entrypoint (manifest.bin) carries capability families absent from dist/build output: environment+network, sensitive-file+network, execution+network L1232: // validation function arguments L1233: data: new codegen_1.Name("data"), L1234: // data passed to validation function ... L2259: id = normalizeId(id); L2260: return resolver.resolve(baseId, id); L2261: } ... L3122: for (i = 0; i < input.length; i++) { L3123: code = input[i].charCodeAt(0); L3124: if (code === 48) { ... L12597: defaultWidth: 0, L12598: output: process.stdout, L12599: tty: __require("tty")
High
Entrypoint Build Divergence

Manifest entrypoint contains risky behavior absent from dist/build output.

dist-cli/cli.jsView on unpkg · L1232
12954const appRoot = path3.resolve(here2, ".."); L12955: const env = { ...process.env }; L12956: if (allowRoot) env.FH_BUILDER_ALLOW_ROOT = allowRoot; L12957: const port = 5173; L12958: const url2 = resolvedFile ? `http://localhost:${port}/?file=${encodeURIComponent(resolvedFile)}` : `http://localhost:${port}/`; L12959: const viteBin = locateViteBin(appRoot); L12960: const vite = spawn(viteBin, ["--port", String(port), "--host", "127.0.0.1", "--strictPort", "--no-open"], { L12961: cwd: appRoot,
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist-cli/cli.jsView on unpkg · L12954
12944`); L12945: if (resolvedFile) process.stdout.write(`Bound to ${resolvedFile} L12946: `); ... L12957: const port = 5173; L12958: const url2 = resolvedFile ? `http://localhost:${port}/?file=${encodeURIComponent(resolvedFile)}` : `http://localhost:${port}/`; L12959: const viteBin = locateViteBin(appRoot); L12960: const vite = spawn(viteBin, ["--port", String(port), "--host", "127.0.0.1", "--strictPort", "--no-open"], { L12961: cwd: appRoot,
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist-cli/cli.jsView on unpkg · L12944
2948sourceCode = this.opts.code.process(sourceCode, sch); L2949: const makeValidate = new Function(`${names_1.default.self}`, `${names_1.default.scope}`, sourceCode); L2950: const validate = makeValidate(this, this.scope.get());
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist-cli/cli.jsView on unpkg · L2948

Findings

5 High4 Medium7 Low
HighChild Processdist-cli/cli.js
HighShell
HighEntrypoint Build Divergencedist-cli/cli.js
HighSame File Env Network Executiondist-cli/cli.js
HighCommand Output Exfiltrationdist-cli/cli.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
MediumWildcard Dependency
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvaldist-cli/cli.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowCopyleft License