registry  /  @hasna/crawl  /  0.4.16

@hasna/crawl@0.4.16

AI-powered web crawler — self-hosted Firecrawl alternative. Crawl, extract, render JS, search. CLI + MCP + REST API + Dashboard.

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 14 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 5 file(s), 5.06 MB of source, external domains: api.anthropic.com, api.exa.ai, api.openai.com, e2b.dev, example.com, feedback.hasna.com, github.com, json-schema.org, raw.githubusercontent.com, www.postgresql.org

Source & flagged code

6 flagged · loading source
package.jsonView file
scripts.postinstall = mkdir -p $HOME/.hasna/crawl $HOME/.hasna/crawl/screenshots 2>/dev/null || true
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = mkdir -p $HOME/.hasna/crawl $HOME/.hasna/crawl/screenshots 2>/dev/null || true
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
dist/index.jsView file
146} L147: exec(sql) { L148: this.db.exec(sql);
High
Child Process

Package source references child process execution.

dist/index.jsView on unpkg · L146
dist/cli/index.jsView file
1202} L1203: const execArgv = process2.execArgv ?? []; L1204: if (execArgv.includes("-e") || execArgv.includes("--eval") || execArgv.includes("-p") || execArgv.includes("--print")) {
High
Shell

Package source references shell execution.

dist/cli/index.jsView on unpkg · L1202
52Cross-file remote execution chain: dist/cli/index.js spawns dist/index.js; helper contains network access plus dynamic code execution. L52: class CommanderError extends Error { L53: constructor(exitCode, code, message) { L54: super(message); ... L756: var EventEmitter = __require("events").EventEmitter; L757: var childProcess = __require("child_process"); L758: var path = __require("path"); ... L802: this._outputConfiguration = { L803: writeOut: (str) => process2.stdout.write(str), L804: writeErr: (str) => process2.stderr.write(str), ... L2786: return false; L2787: const base64 = header.replace(/-/g, "+").replace(/_/g, "/").padEnd(header.length + (4 - header.length % 4) % 4, "="); L2788: const decoded = JSON.parse(atob(base64));
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/cli/index.jsView on unpkg · L52
dist/server/index.jsView file
25765sourceCode = this.opts.code.process(sourceCode, sch); L25766: const makeValidate = new Function(`${names_1.default.self}`, `${names_1.default.scope}`, sourceCode); L25767: const validate = makeValidate(this, this.scope.get());
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/server/index.jsView on unpkg · L25765

Findings

4 High4 Medium6 Low
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processdist/index.js
HighShelldist/cli/index.js
HighCross File Remote Execution Contextdist/cli/index.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvaldist/server/index.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings