registry  /  @hogsend/cli  /  0.41.0

@hogsend/cli@0.41.0

⚠ Under review

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 26 finding(s) at 86.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 47 file(s), 2.10 MB of source, external domains: 127.0.0.1, ap.www.namecheap.com, api-eu.customer.io, api.cloudflare.com, api.customer.io, api.example.com, api.vercel.com, app.loops.so, chatgpt.com, claude.ai, console.aws.amazon.com, dash.cloudflare.com, dcc.godaddy.com, discord.com, discord.gg, docs.hogsend.com, domains.google.com, eu.posthog.com, github.com, hatchet-lite-production.up.railway.app, hogsend.com, json-schema.org, porkbun.com, posthog.example.com, react.dev, us.posthog.com, vercel.com, www.perplexity.ai, www.w3.org, x.com

Source & flagged code

17 flagged · loading source
dist/bin.jsView file
54try { L55: res = await fetch(url, { L56: method, L57: headers, L58: body: opts.body !== void 0 ? JSON.stringify(opts.body) : void 0 L59: }); ... L63: } L64: const text4 = await res.text(); L65: let parsed; ... L171: const isJson = opts.json; L172: const interactive = !isJson && Boolean(process.stdout.isTTY); L173: return {
Critical
Command Output Exfiltration

Source executes local commands and sends command output to an external endpoint.

dist/bin.jsView on unpkg · L54
54Trigger-reachable chain: manifest.exports -> dist/bin.js L54: try { L55: res = await fetch(url, { L56: method, L57: headers, L58: body: opts.body !== void 0 ? JSON.stringify(opts.body) : void 0 L59: }); ... L63: } L64: const text4 = await res.text(); L65: let parsed; ... L171: const isJson = opts.json; L172: const interactive = !isJson && Boolean(process.stdout.isTTY); L173: return {
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/bin.jsView on unpkg · L54
625// src/lib/browser.ts L626: import { spawn } from "child_process"; L627: function openBrowser(url) {
High
Child Process

Package source references child process execution.

dist/bin.jsView on unpkg · L625
3136try { L3137: const require2 = createRequire(import.meta.url); L3138: const pkg = require2("../package.json");
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/bin.jsView on unpkg · L3136
54try { L55: res = await fetch(url, { L56: method, L57: headers, L58: body: opts.body !== void 0 ? JSON.stringify(opts.body) : void 0 L59: }); ... L63: } L64: const text4 = await res.text(); L65: let parsed; ... L171: const isJson = opts.json; L172: const interactive = !isJson && Boolean(process.stdout.isTTY); L173: return {
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/bin.jsView on unpkg · L54
src/commands/dev.tsView file
211`not a Hogsend app — @hogsend/engine is not a dependency in ${pkgPath}. ` + L212: "Scaffold one with pnpm dlx create-hogsend@latest, or pass --cwd <dir>.", L213: ); ... L221: try { L222: const result = spawnSync("hatchet", ["--version"], { stdio: "ignore" }); L223: return !result.error && result.status === 0;
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

src/commands/dev.tsView on unpkg · L211
studio/assets/inter-greek-wght-normal-CkhJZR-_.woff2View file
path = studio/assets/inter-greek-wght-normal-CkhJZR-_.woff2 kind = high_entropy_blob sizeBytes = 18996 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

studio/assets/inter-greek-wght-normal-CkhJZR-_.woff2View on unpkg
src/__tests__/hatchet-token.test.tsView file
80patternName = generic_password severity = medium line = 80 matchedText = password...!!",
Medium
Secret Pattern

Hardcoded password in src/__tests__/hatchet-token.test.ts

src/__tests__/hatchet-token.test.tsView on unpkg · L80
114patternName = generic_password severity = medium line = 114 matchedText = password...!!",
Medium
Secret Pattern

Hardcoded password in src/__tests__/hatchet-token.test.ts

src/__tests__/hatchet-token.test.tsView on unpkg · L114
137patternName = generic_password severity = medium line = 137 matchedText = password...!!",
Medium
Secret Pattern

Hardcoded password in src/__tests__/hatchet-token.test.ts

src/__tests__/hatchet-token.test.tsView on unpkg · L137
src/__tests__/admin-recovery.test.tsView file
116patternName = generic_password severity = medium line = 116 matchedText = password...ry",
Medium
Secret Pattern

Hardcoded password in src/__tests__/admin-recovery.test.ts

src/__tests__/admin-recovery.test.tsView on unpkg · L116
140patternName = generic_password severity = medium line = 140 matchedText = await re... });
Medium
Secret Pattern

Hardcoded password in src/__tests__/admin-recovery.test.ts

src/__tests__/admin-recovery.test.tsView on unpkg · L140
142patternName = generic_password severity = medium line = 142 matchedText = recovery... }),
Medium
Secret Pattern

Hardcoded password in src/__tests__/admin-recovery.test.ts

src/__tests__/admin-recovery.test.tsView on unpkg · L142
149patternName = generic_password severity = medium line = 149 matchedText = await re... });
Medium
Secret Pattern

Hardcoded password in src/__tests__/admin-recovery.test.ts

src/__tests__/admin-recovery.test.tsView on unpkg · L149
154patternName = generic_password severity = medium line = 154 matchedText = password...56",
Medium
Secret Pattern

Hardcoded password in src/__tests__/admin-recovery.test.ts

src/__tests__/admin-recovery.test.tsView on unpkg · L154
172patternName = generic_password severity = medium line = 172 matchedText = password...23",
Medium
Secret Pattern

Hardcoded password in src/__tests__/admin-recovery.test.ts

src/__tests__/admin-recovery.test.tsView on unpkg · L172
180patternName = generic_password severity = medium line = 180 matchedText = await re... });
Medium
Secret Pattern

Hardcoded password in src/__tests__/admin-recovery.test.ts

src/__tests__/admin-recovery.test.tsView on unpkg · L180

Findings

2 Critical4 High14 Medium6 Low
CriticalCommand Output Exfiltrationdist/bin.js
CriticalTrigger Reachable Dangerous Capabilitydist/bin.js
HighChild Processdist/bin.js
HighShell
HighRuntime Package Installsrc/commands/dev.ts
HighShips High Entropy Blobstudio/assets/inter-greek-wght-normal-CkhJZR-_.woff2
MediumDynamic Requiredist/bin.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
MediumSecret Patternsrc/__tests__/hatchet-token.test.ts
MediumSecret Patternsrc/__tests__/hatchet-token.test.ts
MediumSecret Patternsrc/__tests__/hatchet-token.test.ts
MediumSecret Patternsrc/__tests__/admin-recovery.test.ts
MediumSecret Patternsrc/__tests__/admin-recovery.test.ts
MediumSecret Patternsrc/__tests__/admin-recovery.test.ts
MediumSecret Patternsrc/__tests__/admin-recovery.test.ts
MediumSecret Patternsrc/__tests__/admin-recovery.test.ts
MediumSecret Patternsrc/__tests__/admin-recovery.test.ts
MediumSecret Patternsrc/__tests__/admin-recovery.test.ts
LowScripts Present
LowWeak Cryptodist/bin.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings