registry  /  @kurumera/cli  /  0.1.1

@kurumera/cli@0.1.1

Kurumera CLI — login, scaffold, dev, check, push, preview, publish.

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 12 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 22 file(s), 26.4 KB of source, external domains: 127.0.0.1, admin.kurumera.com, kurumera.com

Source & flagged code

3 flagged · loading source
dist/commands/login.jsView file
1import http from "node:http"; L2: import { spawn } from "node:child_process"; L3: import { randomBytes } from "node:crypto";
High
Child Process

Package source references child process execution.

dist/commands/login.jsView on unpkg · L1
1import http from "node:http"; L2: import { spawn } from "node:child_process"; L3: import { randomBytes } from "node:crypto"; ... L6: /** The Kurumera dashboard that hosts the authorize page (kurumera.com). */ L7: const DASHBOARD = (process.env.KURUMERA_DASHBOARD || "https://kurumera.com").replace(/\/+$/, ""); L8: function openBrowser(url) {
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/commands/login.jsView on unpkg · L1
1import http from "node:http"; L2: import { spawn } from "node:child_process"; L3: import { randomBytes } from "node:crypto"; ... L6: /** The Kurumera dashboard that hosts the authorize page (kurumera.com). */ L7: const DASHBOARD = (process.env.KURUMERA_DASHBOARD || "https://kurumera.com").replace(/\/+$/, ""); L8: function openBrowser(url) { L9: try { L10: if (process.platform === "win32") { L11: // cmd's `start` treats & as a command separator, which truncates the URL ... L45: res.writeHead(404); L46: res.end(); L47: return;
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/commands/login.jsView on unpkg · L1

Findings

4 High3 Medium5 Low
HighChild Processdist/commands/login.js
HighShell
HighSame File Env Network Executiondist/commands/login.js
HighSandbox Evasion Gated Capabilitydist/commands/login.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License