registry  /  @kennyshaw/autopost  /  0.2.3

@kennyshaw/autopost@0.2.3

Agent-friendly CLI for local multi-platform video publishing with AutoPost

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 11 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 2 file(s), 25.4 KB of source, external domains: astral.sh, pub-2ad7ea477e7d42d39847b6376c82e059.r2.dev

Source & flagged code

4 flagged · loading source
bin/autopost.jsView file
2L3: import { spawn } from "node:child_process"; L4: import { randomBytes } from "node:crypto";
High
Child Process

Package source references child process execution.

bin/autopost.jsView on unpkg · L2
250const stderr = fs.openSync(path.join(logDir, "runner-error.log"), "a"); L251: const command = runnerExecutable && process.platform === "win32" ? "cmd.exe" : runnerExecutable || process.execPath; L252: const commandArgs = runnerExecutable
High
Shell

Package source references shell execution.

bin/autopost.jsView on unpkg · L250
src/runtime-installer.jsView file
42const candidates = [ L43: process.env.AUTOPOST_UV_BIN, L44: path.join(home, "tools", "bin", "uv"), ... L55: const installer = path.join(home, "downloads", "uv-install.sh"); L56: execFileSync("curl", ["-LsSf", "https://astral.sh/uv/install.sh", "-o", installer], { stdio: "inherit" }); L57: execFileSync("/bin/sh", [installer], {
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

src/runtime-installer.jsView on unpkg · L42
1import { execFileSync } from "node:child_process"; L2: import { createHash } from "node:crypto"; ... L8: L9: export const DEFAULT_RELEASE_MANIFEST_URL = "https://pub-[redacted].r2.dev/stable.json"; L10: L11: function platformKey() { L12: return `${process.platform}-${process.arch}`; L13: } ... L21: if (command.includes(path.sep)) return fs.existsSync(command); L22: return (process.env.PATH || "").split(path.delimiter).some((entry) => fs.existsSync(path.join(entry, command))); L23: } ... L27: if (!response.ok) throw new Error(`Unable to fetch AutoPost release manifest: HTTP ${response.status}`);
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

src/runtime-installer.jsView on unpkg · L1

Findings

4 High3 Medium4 Low
HighChild Processbin/autopost.js
HighShellbin/autopost.js
HighSame File Env Network Executionsrc/runtime-installer.js
HighSandbox Evasion Gated Capabilitysrc/runtime-installer.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License