registry  /  @lumpcode/cli  /  0.0.9

@lumpcode/cli@0.0.9

⚠ Under review

CLI for running agent loops over your codebase. Run agent loop campaigns (lumps) with CLI agents, git branches, and resumable LUMP marker commits

Static Scan Results

scanned 7d ago · by rust-scanner

Static analysis flagged 17 finding(s) at 86.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemShell
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 11 file(s), 995 KB of source, external domains: dotenvx.com, github.com, json-schema.org, raw.githubusercontent.com

Source & flagged code

9 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.mjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.mjs
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
bin/lumpcode.jsView file
2L3: const { spawn } = require('node:child_process'); L4: const fs = require('node:fs');
High
Child Process

Package source references child process execution.

bin/lumpcode.jsView on unpkg · L2
2Cross-file remote execution chain: bin/lumpcode.js spawns dist/index.js; helper contains network access plus dynamic code execution. L2: L3: const { spawn } = require('node:child_process'); L4: const fs = require('node:fs'); ... L6: L7: const pkgRoot = path.join(__dirname, '..'); L8: const vendorDir = path.join(pkgRoot, 'vendor'); ... L10: const nativeBinary = L11: process.platform === 'win32' L12: ? path.join(vendorDir, 'lumpcode.exe')
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

bin/lumpcode.jsView on unpkg · L2
2L3: const { spawn } = require('node:child_process'); L4: const fs = require('node:fs');
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/lumpcode.jsView on unpkg · L2
dist/presets/commands/cursor.jsView file
8L9: const execAsync = promisify(exec); L10:
High
Shell

Package source references shell execution.

dist/presets/commands/cursor.jsView on unpkg · L8
dist/index.jsView file
1(()=>{var e={3457:(e,t,r)=>{"use strict";Object.defineProperty(t,"__esModule",{value:true});t.MissingRefError=t.ValidationError=t.CodeGen=t.Name=t.nil=t.stringify=t.str=t._=t.Keywo... L2: || (${u} == "string" && ${o} && ${o} == +${o})`).assign(c,(0,s._)`+${o}`);return;case"integer":i.elseIf((0,s._)`${u} === "boolean" || ${o} === null ... L6: depsCount: ${t}, L7: deps: ${r}}`};const s={keyword:"dependencies",type:"object",schemaType:"object",error:t.error,code(e){const[t,r]=splitDependencies(e);validatePropertyDeps(e,t);validateSchemaDeps(e... L8: /*! js-yaml 5.0.0 https://github.com/nodeca/js-yaml @license MIT */var b=Symbol("NOT_RESOLVED");var $=Symbol("MERGE_KEY");function defineScalarTag(e,t){return{tagName:e,nodeKind:"s...
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/index.jsView on unpkg · L1
1(()=>{var e={3457:(e,t,r)=>{"use strict";Object.defineProperty(t,"__esModule",{value:true});t.MissingRefError=t.ValidationError=t.CodeGen=t.Name=t.nil=t.stringify=t.str=t._=t.Keywo... L2: || (${u} == "string" && ${o} && ${o} == +${o})`).assign(c,(0,s._)`+${o}`);return;case"integer":i.elseIf((0,s._)`${u} === "boolean" || ${o} === null L3: || (${u} === "string" && ${o} && ${o} == +${o} && !(${o} % 1))`).assign(c,(0,s._)`+${o}`);return;case"boolean":i.elseIf((0,s._)`${o} === "false" || ${o} === 0 || ${o} === null`).as... L4: || ${u} === "boolean" || ${o} === null`).assign(c,(0,s._)`[${o}]`)}}}function assignParentData({gen:e,parentData:t,parentDataProperty:r},i){e.if((0,s._)`${t} !== undefined`,(()=>e.... L5: missingProperty: ${o}, L6: depsCount: ${t}, L7: deps: ${r}}`};const s={keyword:"dependencies",type:"object",schemaType:"object",error:t.error,code(e){const[t,r]=splitDependencies(e);validatePropertyDeps(e,t);validateSchemaDeps(e... L8: /*! js-yaml 5.0.0 https://github.com/nodeca/js-yaml @license MIT */var b=Symbol("NOT_RESOLVED");var $=Symbol("MERGE_KEY");function defineScalarTag(e,t){return{tagName:e,nodeKind:"s...
High
Obfuscated Payload Loader

Source contains an obfuscator-style string-array loader that reconstructs and executes hidden code.

dist/index.jsView on unpkg · L1
1(()=>{var e={3457:(e,t,r)=>{"use strict";Object.defineProperty(t,"__esModule",{value:true});t.MissingRefError=t.ValidationError=t.CodeGen=t.Name=t.nil=t.stringify=t.str=t._=t.Keywo... L2: || (${u} == "string" && ${o} && ${o} == +${o})`).assign(c,(0,s._)`+${o}`);return;case"integer":i.elseIf((0,s._)`${u} === "boolean" || ${o} === null
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/index.jsView on unpkg · L1

Findings

7 High4 Medium6 Low
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processbin/lumpcode.js
HighShelldist/presets/commands/cursor.js
HighSame File Env Network Executiondist/index.js
HighObfuscated Payload Loaderdist/index.js
HighCross File Remote Execution Contextbin/lumpcode.js
HighObfuscated
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requirebin/lumpcode.js
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvaldist/index.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings