registry  /  @m13v/s4l  /  1.6.202

@m13v/s4l@1.6.202

Automated social posting pipeline for Reddit, X/Twitter, LinkedIn, and Moltbook. Install as a Claude Code agent skill.

Static Scan Results

scanned 4h ago · by rust-scanner

Static analysis flagged 14 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 18 file(s), 486 KB of source, external domains: 127.0.0.1, api.github.com, app.s4l.ai, astral.sh, dl.google.com, github.com, s4l.ai, www.apple.com, www.google.com

Source & flagged code

6 flagged · loading source
bin/cookie-helper.jsView file
13L14: const { spawn, spawnSync } = require('child_process'); L15: const fs = require('fs');
High
Child Process

Package source references child process execution.

bin/cookie-helper.jsView on unpkg · L13
31package = @m13v/s4l; repositoryIdentity = social-autoposter; dependency = ws L31: } else { L32: try { WS = require('ws'); } catch { L33: try { WS = require(path.join('/usr/lib/node_modules', 'ws')); } catch {}
High
Copied Package Dependency Bridge

Package metadata claims a different repository identity while copied source loads a runtime dependency bridge.

bin/cookie-helper.jsView on unpkg · L31
13L14: const { spawn, spawnSync } = require('child_process'); L15: const fs = require('fs');
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/cookie-helper.jsView on unpkg · L13
bin/scheduler/launchd.jsView file
4const fs = require('fs'); L5: const { execSync, spawnSync } = require('child_process'); L6: const platform = require('../platform'); ... L32: \t<array> L33: \t\t<string>/bin/bash</string> L34: \t\t<string>${job.script}</string> ... L38: \t<key>StandardOutPath</key> L39: \t<string>${job.stdoutLog}</string> L40: \t<key>StandardErrorPath</key> ... L80: try { L81: const out = execSync('launchctl list', { stdio: 'pipe', maxBuffer: 8 * 1024 * 1024 }).toString(); L82: for (const line of out.split('\n').slice(1)) {
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

bin/scheduler/launchd.jsView on unpkg · L4
bin/cli.jsView file
825} L826: console.log(' installing MCP runtime deps (npm install --omit=dev in mcp/)'); L827: const npmRes = spawnSync('npm', ['install', '--omit=dev', '--no-audit', '--no-fund'], { L828: cwd: mcpDest,
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

bin/cli.jsView on unpkg · L825
skill/dm-outreach-reddit.shView file
path = skill/dm-outreach-reddit.sh kind = build_helper sizeBytes = 16928 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

skill/dm-outreach-reddit.shView on unpkg

Findings

4 High6 Medium4 Low
HighChild Processbin/cookie-helper.js
HighShell
HighCopied Package Dependency Bridgebin/cookie-helper.js
HighRuntime Package Installbin/cli.js
MediumDynamic Requirebin/cookie-helper.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencebin/scheduler/launchd.js
MediumShips Build Helperskill/dm-outreach-reddit.sh
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings