registry  /  @loopress/cli  /  0.8.0

@loopress/cli@0.8.0

CLI tool for syncing WordPress code snippets, plugins, and Composer dependencies via the REST API

Static Scan Results

scanned 18h ago · by rust-scanner

Static analysis flagged 9 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
UrlStrings
Manifest
CopyleftLicense
scanned 34 file(s), 73.0 KB of source, external domains: api.loopress.dev, api.wordpress.org, console.loopress.dev, example.com

Source & flagged code

2 flagged · loading source
dist/commands/login.jsView file
1import { Command } from '@oclif/core'; L2: import { exec } from 'node:child_process'; L3: import { createServer } from 'node:http'; L4: import { authManager } from '../config/auth.manager.js'; ... L20: }; L21: const cmd = cmds[process.platform]; L22: if (cmd) ... L33: res.writeHead(400, { 'Content-Type': 'text/plain' }); L34: res.end('Missing token'); L35: return;
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/commands/login.jsView on unpkg · L1
bin/dev.cmdView file
path = bin/dev.cmd kind = build_helper sizeBytes = 86 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

bin/dev.cmdView on unpkg

Findings

1 High4 Medium4 Low
HighSandbox Evasion Gated Capabilitydist/commands/login.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperbin/dev.cmd
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowUrl Strings
LowCopyleft License