registry  /  @lucyus/actionify  /  0.18.1

@lucyus/actionify@0.18.1

Actionify is a lightweight Node.js automation library for Windows, enabling seamless control of the mouse, keyboard, clipboard, screen, windows and sound, with additional features like OCR and more.

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 11 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNativeBindingsNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 326 file(s), 582 KB of source, external domains: api.github.com, github.com, raw.githubusercontent.com

Source & flagged code

4 flagged · loading source
lib/core/controllers/lifecycle/lifecycle.controller.jsView file
3exports.LifecycleController = void 0; L4: const child_process_1 = require("child_process"); L5: const addon_1 = require("../../../addon");
High
Child Process

Package source references child process execution.

lib/core/controllers/lifecycle/lifecycle.controller.jsView on unpkg · L3
lib/cli/actionify/helpers/sherpa-onnx/sherpa-onnx.helper.jsView file
6exports.SherpaOnnxHelper = void 0; L7: const node_child_process_1 = require("node:child_process"); L8: const node_fs_1 = __importDefault(require("node:fs")); ... L11: static async fetchDownloadableTtsModels(commandFullName) { L12: const httpRequestOptions = process.env.GITHUB_ACCESS_TOKEN L13: ? { headers: { "Authorization": `Bearer ${process.env.GITHUB_ACCESS_TOKEN}` } } L14: : undefined; L15: const httpResponse = await fetch(`https://api.github.com/repos/k2-fsa/sherpa-onnx/releases/tags/tts-models`, httpRequestOptions); L16: if (httpResponse.status !== 200) {
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

lib/cli/actionify/helpers/sherpa-onnx/sherpa-onnx.helper.jsView on unpkg · L6
6exports.SherpaOnnxHelper = void 0; L7: const node_child_process_1 = require("node:child_process"); L8: const node_fs_1 = __importDefault(require("node:fs")); ... L11: static async fetchDownloadableTtsModels(commandFullName) { L12: const httpRequestOptions = process.env.GITHUB_ACCESS_TOKEN L13: ? { headers: { "Authorization": `Bearer ${process.env.GITHUB_ACCESS_TOKEN}` } } L14: : undefined; L15: const httpResponse = await fetch(`https://api.github.com/repos/k2-fsa/sherpa-onnx/releases/tags/tts-models`, httpRequestOptions); L16: if (httpResponse.status !== 200) { ... L20: const xRateLimitResetHeader = httpResponse.headers.get("x-ratelimit-reset"); L21: const isUsingWindows = process.platform === "win32"; L22: if (xRateLimitResetHeader) {
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

lib/cli/actionify/helpers/sherpa-onnx/sherpa-onnx.helper.jsView on unpkg · L6
lib/assets/images/icons/error.icoView file
path = lib/assets/images/icons/error.ico kind = high_entropy_blob sizeBytes = 6493 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

lib/assets/images/icons/error.icoView on unpkg

Findings

4 High3 Medium4 Low
HighChild Processlib/core/controllers/lifecycle/lifecycle.controller.js
HighSame File Env Network Executionlib/cli/actionify/helpers/sherpa-onnx/sherpa-onnx.helper.js
HighSandbox Evasion Gated Capabilitylib/cli/actionify/helpers/sherpa-onnx/sherpa-onnx.helper.js
HighShips High Entropy Bloblib/assets/images/icons/error.ico
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings