registry  /  @hachej/boring-ui-cli  /  0.1.65

@hachej/boring-ui-cli@0.1.65

⚠ Under review

Turn an agent into an app

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 12 finding(s) at 86.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNativeBindingsNetworkShell
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 691 file(s), 20.9 MB of source, external domains: chevrotain.io, en.wikipedia.org, github.com, langium.org, react.dev, runtime.local, www.w3.org
Oversized source lightweight scan
public/assets/index-BDGnMcme.js3.79 MB file, sampled 256 KB
NetworkHighEntropyStringsMinifiedUrlStringsreact.devwww.w3.org

Source & flagged code

4 flagged · loading source
public/assets/vue-vine-CFpVyOJ3.jsView file
1import{t as e}from"./javascript-DpaUJ1AF.js";import{t}from"./css-Db5oXez4.js";import{t as n}from"./scss-CKfHcJzL.js";import r from"./postcss-BunjpCQr.js";import i from"./less-BGJv5...
Medium
Dynamic Require

Package source references dynamic require/import behavior.

public/assets/vue-vine-CFpVyOJ3.jsView on unpkg · L1
dist/server/localWorkspaces.jsView file
6import { basename, dirname, join, resolve } from "node:path"; L7: const DEFAULT_REGISTRY_PATH = resolve(homedir(), ".boring-ui", "workspaces.yaml"); L8: function [redacted]() { L9: return process.env.BORING_UI_WORKSPACES_PATH ? resolve(process.env.BORING_UI_WORKSPACES_PATH) : DEFAULT_REGISTRY_PATH; L10: } ... L28: try { L29: return JSON.parse(trimmed); L30: } catch {
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/server/localWorkspaces.jsView on unpkg · L6
public/assets/chunk-K5T4RW27-B8krvPgy.jsView file
12contains invisible/control Unicode U+FEFF (zero width no-break space) \r \v \xA0            \u2028\u2029   <U+FEFF>`.split(``);function _n(e){let t=typeof e==`string`?new RegExp(e):e;return gn.some(e=>t.test(e))}function vn(e){return e.replace(/[.*+?^${}()|[\]\\]/g,`\\$&`)}function yn(e,t){let n=bn(e),r=t.mat
Critical
Trojan Source Unicode

Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

public/assets/chunk-K5T4RW27-B8krvPgy.jsView on unpkg · L12
public/assets/index-BDGnMcme.jsView file
path = public/assets/index-BDGnMcme.js kind = oversized_source_file sizeBytes = 3977831 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

public/assets/index-BDGnMcme.jsView on unpkg

Findings

1 Critical1 High4 Medium6 Low
CriticalTrojan Source Unicodepublic/assets/chunk-K5T4RW27-B8krvPgy.js
HighOversized Source Filepublic/assets/index-BDGnMcme.js
MediumDynamic Requirepublic/assets/vue-vine-CFpVyOJ3.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowWeak Cryptodist/server/localWorkspaces.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings