registry  /  @funara/wevr  /  0.1.0

@funara/wevr@0.1.0

Opinionated Engineering Workflow for OpenCode — Plan, Build, Review.

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 11 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 37 file(s), 194 KB of source, external domains: opencode.ai

Source & flagged code

5 flagged · loading source
src/core/versionCheck.jsView file
1import { execFileSync, execSync } from "node:child_process" L2: import { confirm, isCancel } from "@clack/prompts"
High
Child Process

Package source references child process execution.

src/core/versionCheck.jsView on unpkg · L1
38if (process.platform === "win32") { L39: execSync("npm install -g wevr", { stdio: "inherit" }) L40: } else {
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

src/core/versionCheck.jsView on unpkg · L38
src/cli/commands/launch.jsView file
111const child = process.platform === "win32" L112: ? spawn("opencode", { stdio: "inherit", shell: true }) L113: : spawn("opencode", [], { stdio: "inherit" })
High
Shell

Package source references shell execution.

src/cli/commands/launch.jsView on unpkg · L111
1import { spawn } from "node:child_process" L2: import { confirm, isCancel } from "@clack/prompts" ... L40: // Clear logo lines (9 rows) L41: process.stdout.write("\x1b[9A\x1b[0J"); L42: ... L110: console.log("Launching wevr..."); L111: const child = process.platform === "win32" L112: ? spawn("opencode", { stdio: "inherit", shell: true }) ... L115: if (err.code === "ENOENT") { L116: console.error("Error: opencode not found on PATH. Install it from https://opencode.ai"); L117: } else {
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

src/cli/commands/launch.jsView on unpkg · L1
src/plugins/wevr-squeeze.jsView file
469function intEnv(key, fallback) { L470: const raw = process.env[key]?.trim(); L471: if (!raw) ... L1054: var callsSincePrune = 0; L1055: var INFRA_BASH_RE = /\b(?:systemctl|nginx|docker|kubectl|service|daemon|launchctl|brew|apt|apt-get|yum|dnf|pacman)\b/; L1056: var GIT_WRITE_RE = /\bgit\s+(?:push|pull|merge|rebase|cherry-pick|tag)\b/; ... L1224: try { L1225: const parsed = JSON.parse(cachedData); L1226: if (Array.isArray(parsed.decisions)) { ... L3103: const outputPath = writeDashboard({ dataDir, days }); L3104: const { execFileSync } = await import("child_process"); L3105: const platform = process.platform;
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

src/plugins/wevr-squeeze.jsView on unpkg · L469

Findings

4 High3 Medium4 Low
HighChild Processsrc/core/versionCheck.js
HighShellsrc/cli/commands/launch.js
HighSandbox Evasion Gated Capabilitysrc/cli/commands/launch.js
HighRuntime Package Installsrc/core/versionCheck.js
MediumEnvironment Vars
MediumInstall Persistencesrc/plugins/wevr-squeeze.js
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings