registry  /  @hasna/search  /  0.0.15

@hasna/search@0.0.15

Unified search — local file index (find files by name/path/content/regex in ms, trigram FTS) + 12 web providers (Google, SerpAPI, Exa, Perplexity, Twitter, Reddit, YouTube, Brave, Bing, Hacker News, GitHub, arXiv) + YouTube transcription. CLI + MCP + REST

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 14 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 5 file(s), 3.26 MB of source, external domains: api.bing.microsoft.com, api.cerebras.ai, api.exa.ai, api.github.com, api.perplexity.ai, api.search.brave.com, api.twitter.com, export.arxiv.org, github.com, hn.algolia.com, json-schema.org, news.ycombinator.com, oauth.reddit.com, raw.githubusercontent.com, registry.npmjs.org, serpapi.com, www.googleapis.com, www.postgresql.org, www.reddit.com, www.youtube.com, x.com

Source & flagged code

6 flagged · loading source
package.jsonView file
scripts.postinstall = mkdir -p $HOME/.hasna/search 2>/dev/null || true
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = mkdir -p $HOME/.hasna/search 2>/dev/null || true
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
dist/index.jsView file
9583} L9584: async exec(sql) { L9585: await this.pool.query(sql);
High
Child Process

Package source references child process execution.

dist/index.jsView on unpkg · L9583
dist/cli/index.jsView file
1202} L1203: const execArgv = process2.execArgv ?? []; L1204: if (execArgv.includes("-e") || execArgv.includes("--eval") || execArgv.includes("-p") || execArgv.includes("--print")) {
High
Shell

Package source references shell execution.

dist/cli/index.jsView on unpkg · L1202
52Cross-file remote execution chain: dist/cli/index.js spawns dist/index.js; helper contains network access plus dynamic code execution. L52: class CommanderError extends Error { L53: constructor(exitCode, code, message) { L54: super(message); ... L756: var EventEmitter = __require("events").EventEmitter; L757: var childProcess = __require("child_process"); L758: var path = __require("path"); ... L802: this._outputConfiguration = { L803: writeOut: (str) => process2.stdout.write(str), L804: writeErr: (str) => process2.stderr.write(str), ... L2937: return false; L2938: const base64 = header.replace(/-/g, "+").replace(/_/g, "/").padEnd(header.length + (4 - header.length % 4) % 4, "="); L2939: const decoded = JSON.parse(atob(base64));
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/cli/index.jsView on unpkg · L52
dist/server/index.jsView file
7339sourceCode = this.opts.code.process(sourceCode, sch); L7340: const makeValidate = new Function(`${names_1.default.self}`, `${names_1.default.scope}`, sourceCode); L7341: const validate = makeValidate(this, this.scope.get());
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/server/index.jsView on unpkg · L7339

Findings

4 High4 Medium6 Low
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processdist/index.js
HighShelldist/cli/index.js
HighCross File Remote Execution Contextdist/cli/index.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvaldist/server/index.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings