registry  /  @guapocado/cli  /  0.0.7

@guapocado/cli@0.0.7

CLI for the Guapocado billing platform. Manage billing configs, sync with Stripe, and generate typed code from your billing schema.

Static Scan Results

scanned 3h ago · by rust-scanner

Static analysis flagged 10 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 19 file(s), 256 KB of source, external domains: api.guapocado.dev

Source & flagged code

3 flagged · loading source
dist/chunk-4NT564I2.jsView file
13import consola from "consola"; L14: var require2 = createRequire(import.meta.url); L15: var CONFIG_MARKER = "GUAPOCADO_CONFIG_JSON:";
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/chunk-4NT564I2.jsView on unpkg · L13
dist/login-H4BCJCKM.jsView file
15// src/commands/login.ts L16: import { spawn } from "child_process"; L17: import { defineCommand } from "citty"; ... L19: function openBrowser(url) { L20: const command = process.platform === "darwin" ? "open" : process.platform === "win32" ? "cmd" : "xdg-open"; L21: const args = process.platform === "win32" ? ["/c", "start", "", url] : [url]; ... L43: async run({ args }) { L44: const baseUrl = "https://api.guapocado.dev"; L45: if (args.key) { ... L63: headers: { "content-type": "application/json" }, L64: body: JSON.stringify({ target: "both" }) L65: });
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/login-H4BCJCKM.jsView on unpkg · L15
dist/chunk-CGZCFESO.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @guapocado/cli@0.0.4 matchedIdentity = npm:QGd1YXBvY2Fkby9jbGk:0.0.4 similarity = 0.579 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/chunk-CGZCFESO.jsView on unpkg

Findings

2 High4 Medium4 Low
HighSandbox Evasion Gated Capabilitydist/login-H4BCJCKM.js
HighPrevious Version Dangerous Deltadist/chunk-CGZCFESO.js
MediumDynamic Requiredist/chunk-4NT564I2.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings