registry  /  @kitelev/exocortex-cli  /  16.175.2

@kitelev/exocortex-cli@16.175.2

CLI tool for Exocortex knowledge management system - SPARQL queries, task management, and more

Static Scan Results

scanned 3h ago · by rust-scanner

Static analysis flagged 14 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsEvalFilesystemNetwork
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 1.33 MB of source, external domains: api.github.com, example.org, exocortex.local, exocortex.my, github.com, purl.org, schema.org, www.apache.org, www.w3.org, xmlns.com

Source & flagged code

5 flagged · loading source
package.jsonView file
scripts.postinstall = node ./scripts/postinstall.cjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node ./scripts/postinstall.cjs
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
dist/index.jsView file
17(Did you mean one of ${r.join(", ")}?)`:r.length===1?` L18: (Did you mean ${r[0]}?)`:""}a(n5,"suggestSimilar");RR.suggestSimilar=n5});var DR=T(gb=>{var i5=require("node:events").EventEmitter,db=require("node:child_process"),so=require("node... L19: - specify the name in Command constructor or using .name()`);return t=t||{},t.isDefault&&(this._defaultCommandName=e._name),(t.noHelp||t.hidden)&&(e._hidden=!0),this._registerComma...
High
Child Process

Package source references child process execution.

dist/index.jsView on unpkg · L17
473`)+` L474: `+n}a(Vu,"injectExocortexPrefixes");function X0(n){return n.replace(hne,(e,t,r,i,s)=>yj.has(r.toLowerCase())?`${r}:${i}`:e)}a(X0,"transformShorthandNotation");function Q0(n){let e=... L475: `);let N=j;N.type==="select"&&N.bindings?(console.log(`\u2705 Found ${N.bindings.length} result(s) ... L485: \u26A0\uFE0F Files skipped due to IRI issues:`);for(let u of o.skippedFiles)console.log(` - ${u.path}`),console.log(` ${u.reason}`);console.log("")}if(console.log(`\u2705 In... L486: \u{1F4CA} Cache Statistics:`),console.log(` Triples: ${u.tripleCount.toLocaleString()}`),console.log(` Created: ${u.createdAt.toISOString()}`),console.log(` Valid: ${u.isVali... L487: Hidden by precondition (${n.hidden.length}):`),n.hidden.length===0)console.log(" (none)");else for(let r of n.hidden)console.log(` \u2717 ${t(r)} \u2014 precondition not satisfie... L488: `),r={};for(let i of t){let s=i.match(/^(\w[\w]*):\s*(.*)$/);s&&(r[s[1]]=!0)}return r}a(Lj,"extractFrontmatter");function Nj(n){for(let e of lA.keys())if(n.startsWith(e))return!0;r...
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/index.jsView on unpkg · L473
17(Did you mean one of ${r.join(", ")}?)`:r.length===1?` L18: (Did you mean ${r[0]}?)`:""}a(n5,"suggestSimilar");RR.suggestSimilar=n5});var DR=T(gb=>{var i5=require("node:events").EventEmitter,db=require("node:child_process"),so=require("node... L19: - specify the name in Command constructor or using .name()`);return t=t||{},t.isDefault&&(this._defaultCommandName=e._name),(t.noHelp||t.hidden)&&(e._hidden=!0),this._registerComma... ... L30: Expecting one of '${r.join("', '")}'`);let i=`${e}Help`;return this.on(i,s=>{let o;typeof t=="function"?o=t({error:s.error,command:s.command}):o=t,o&&s.write(`${o} L31: `)}),this}_outputHelpIfRequested(e){let t=this._getHelpOption();t&&e.find(i=>t.is(i))&&(this.outputHelp(),this._exit(0,"commander.helpDisplayed","(outputHelp)"))}};function PR(n){r... L32: `).map(r=>t+r)].join(`
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/index.jsView on unpkg · L17

Findings

4 High4 Medium6 Low
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processdist/index.js
HighSame File Env Network Executiondist/index.js
HighCommand Output Exfiltrationdist/index.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEval
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings