registry  /  @lovinka/vitrinka  /  1.10.0

@lovinka/vitrinka@1.10.0

vitrinka CLI + MCP server — capture and publish artifact sets, drive the annotation-board work queue from any MCP-aware AI.

Static Scan Results

scanned 3h ago · by rust-scanner

Static analysis flagged 14 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 8 file(s), 269 KB of source, external domains: registry.npmjs.org, vitrinka.lovinka.com

Source & flagged code

6 flagged · loading source
dist/cli.jsView file
15import { tmpdir, hostname } from 'node:os'; L16: import { spawnSync, spawn } from 'node:child_process'; L17: import { createHash } from 'node:crypto';
High
Child Process

Package source references child process execution.

dist/cli.jsView on unpkg · L15
1842if [ -n "$VITRINKA_ORIG" ]; then L1843: out=$(printf '%s' "$input" | /bin/sh -c "$VITRINKA_ORIG") L1844: fi
High
Shell

Package source references shell execution.

dist/cli.jsView on unpkg · L1842
1049const opener = process.platform === 'darwin' ? 'open' : process.platform === 'win32' ? 'start' : 'xdg-open'; L1050: spawnSync(opener, [verifyUrl], { stdio: 'ignore' }); L1051: const intervalMs = Math.max(1, s.interval ?? 2) * 1000; L1052: const deadline = Date.now() + (s.expires_in ?? 600) * 1000; L1053: process.stdout.write(' waiting for approval …'); L1054: while (Date.now() < deadline) { ... L1057: try { L1058: res = await fetch(`${base}/api/v1/cli/auth/claim`, { L1059: method: 'POST',
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/cli.jsView on unpkg · L1049
15import { tmpdir, hostname } from 'node:os'; L16: import { spawnSync, spawn } from 'node:child_process'; L17: import { createHash } from 'node:crypto'; ... L93: try { L94: m = JSON.parse(raw); L95: } ... L153: // appVersionOf reads the app's version string for capture provenance: L154: // app.json (Expo: expo.version, or bare version) first, then package.json. L155: // Best-effort — a missing/malformed file just leaves the field off. ... L359: const r = spawnSync('git', gitArgs, { cwd, encoding: 'utf8' }); L360: return r.status === 0 ? r.stdout.trim() : ''; L361: }
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/cli.jsView on unpkg · L15
2226} L2227: // updateCmd updates the CLI source (git pull in a repo checkout, `npm i -g` for L2228: // a global npm install — detected from where the running file lives), then ... L2239: console.log(`repo checkout ${repoTop} (${before || '?'}) — git pull --ff-only…`); L2240: const pull = spawnSync('git', ['-C', repoTop, 'pull', '--ff-only'], { stdio: 'inherit' }); L2241: if (pull.status !== 0)
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/cli.jsView on unpkg · L2226
15import { tmpdir, hostname } from 'node:os'; L16: import { spawnSync, spawn } from 'node:child_process'; L17: import { createHash } from 'node:crypto'; ... L93: try { L94: m = JSON.parse(raw); L95: } ... L153: // appVersionOf reads the app's version string for capture provenance: L154: // app.json (Expo: expo.version, or bare version) first, then package.json. L155: // Best-effort — a missing/malformed file just leaves the field off. ... L359: const r = spawnSync('git', gitArgs, { cwd, encoding: 'utf8' }); L360: return r.status === 0 ? r.stdout.trim() : ''; L361: }
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/cli.jsView on unpkg · L15

Findings

5 High4 Medium5 Low
HighChild Processdist/cli.js
HighShelldist/cli.js
HighCommand Output Exfiltrationdist/cli.js
HighSandbox Evasion Gated Capabilitydist/cli.js
HighRuntime Package Installdist/cli.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/cli.js
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings