registry  /  @josharsh/pixelpi-cdp  /  0.2.0

@josharsh/pixelpi-cdp@0.2.0

Thin Chrome DevTools Protocol transport powering pixelpi's pixel-cheap look() over raw CDP.

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 9 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessEnvironmentVarsEvalFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 36.6 KB of source, external domains: 127.0.0.1, www.google.com

Source & flagged code

2 flagged · loading source
dist/index.jsView file
1// src/client.ts L2: import WebSocket from "ws"; L3: var CdpClient = class { ... L30: try { L31: msg = JSON.parse(raw); L32: } catch { ... L53: this.pending.set(id, { resolve, reject }); L54: this.ws.send(JSON.stringify({ id, method, params: params ?? {} }), (err) => { L55: if (err) { ... L99: // src/launch.ts L100: import { execSync, spawn } from "child_process"; L101: import { existsSync, mkdtempSync, readFileSync, unlinkSync } from "fs";
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/index.jsView on unpkg · L1
397try { L398: const hostFn = new Function("fetch", "args", `return (${wrapFn(fn)}).apply(null, args);`); L399: const value = await hostFn(fetch, args);
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/index.jsView on unpkg · L397

Findings

1 High3 Medium5 Low
HighSandbox Evasion Gated Capabilitydist/index.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowEvaldist/index.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings