registry  /  @lark-project/cli  /  2.8.0

@lark-project/cli@2.8.0

飞书项目插件开发工具

Static Scan Results

scanned 3h ago · by rust-scanner

Static analysis flagged 19 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
WildcardDependency
scanned 194 file(s), 834 KB of source, external domains: meegle.com, meego.example.com, nodejs.org, project.feishu.cn, r.cnpmjs.org, registry.npmjs.org, registry.npmmirror.com, sf3-cn.feishucdn.com, www.w3.org

Source & flagged code

10 flagged · loading source
package.jsonView file
dependencies registry_only=skills
Critical
Manifest Confusion

Tarball package.json differs from the npm registry version manifest for scripts or dependency sets.

package.jsonView on unpkg
scripts.postinstall = node ./scripts/install-skills.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts/uninstall-skills.jsView file
14L15: const { spawn, execSync } = require('child_process'); L16: const path = require('path');
High
Child Process

Package source references child process execution.

scripts/uninstall-skills.jsView on unpkg · L14
lib/v1/utils/index.jsView file
25const ora_1 = __importDefault(require("ora")); L26: const execa_1 = __importDefault(require("execa")); L27: const fs_extra_1 = __importDefault(require("fs-extra"));
High
Shell

Package source references shell execution.

lib/v1/utils/index.jsView on unpkg · L25
lib/v1/plugin/HotUpdatePlugin.jsView file
31try { L32: return eval('(' + moreModules[moduleId].toString() + ')') L33: } catch(e) {
Low
Eval

Package source references a known benign dynamic code generation pattern.

lib/v1/plugin/HotUpdatePlugin.jsView on unpkg · L31
bin/index.jsView file
1#!/usr/bin/env node L2: require('../lib/cli.js');
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/index.jsView on unpkg · L1
lib/utils/check-latest-version.jsView file
51try { L52: const result = shelljs_1.default.exec('npm install -g @lark-project/cli@latest'); L53: if (result.code !== 0) {
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

lib/utils/check-latest-version.jsView on unpkg · L51
lib/template/v2.zipView file
path = lib/template/v2.zip kind = high_entropy_blob sizeBytes = 562713 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

lib/template/v2.zipView on unpkg
path = lib/template/v2.zip kind = compressed_blob sizeBytes = 562713 magicHex = [redacted]
Medium
Ships Compressed Blob

Package ships compressed or archive-like blobs.

lib/template/v2.zipView on unpkg
path = lib/template/v2.zip kind = nested_archive_needs_inspection sizeBytes = 562713 magicHex = [redacted]
Low
Nested Archive Needs Inspection

Package ships a nested archive or MCP bundle that was inventoried but not recursively analyzed.

lib/template/v2.zipView on unpkg

Findings

1 Critical5 High6 Medium7 Low
CriticalManifest Confusionpackage.json
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processscripts/uninstall-skills.js
HighShelllib/v1/utils/index.js
HighRuntime Package Installlib/utils/check-latest-version.js
HighShips High Entropy Bloblib/template/v2.zip
MediumDynamic Requirebin/index.js
MediumNetwork
MediumEnvironment Vars
MediumShips Compressed Bloblib/template/v2.zip
MediumStructural Risk Force Deep Review
MediumWildcard Dependency
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvallib/v1/plugin/HotUpdatePlugin.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNested Archive Needs Inspectionlib/template/v2.zip