registry  /  @menukfernandoo/canvas-flow  /  0.2.0

@menukfernandoo/canvas-flow@0.2.0

HTML is the new markdown. CanvasFlow is the new editor for your HTML artifacts.

Static Scan Results

scanned 1h ago · by rust-scanner

Static analysis flagged 12 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 3 file(s), 591 KB of source, external domains: api.ht-ml.app, bugs.chromium.org, bugs.webkit.org, bugzilla.mozilla.org, cdn.jsdelivr.net, daisyui.com, esm.sh, github.com, ht-ml.app, tailwindcss.com

Source & flagged code

5 flagged · loading source
dist/cli.mjsView file
8// src/cli.js L9: import { spawn, spawnSync } from "node:child_process"; L10: import { closeSync, existsSync as existsSync2, mkdirSync, openSync, readFileSync, writeFileSync } from "node:fs";
High
Child Process

Package source references child process execution.

dist/cli.mjsView on unpkg · L8
6851`const command = ${JSON.stringify(command)};`, L6852: 'const result = spawnSync(command, [], { encoding: "utf8", shell: true });', L6853: 'const detail = result.error ? result.error.message : (result.stderr || result.stdout || "exit " + (result.status ?? "unknown"));',
High
Shell

Package source references shell execution.

dist/cli.mjsView on unpkg · L6851
7089const stdio = ( L7090: /** @type {import("node:child_process").StdioOptions} */ L7091: logFd === null ? "ignore" : ["ignore", logFd, logFd] ... L7095: stdio, L7096: env: { ...process.env, CANVAS_FLOW_NO_OPEN: "1" } L7097: }; ... L7102: try { L7103: response = await fetch(url); L7104: break;
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/cli.mjsView on unpkg · L7089
8Cross-file remote execution chain: dist/cli.mjs spawns dist/design/tailwindcss-browser.js; helper contains network access plus dynamic code execution. L8: // src/cli.js L9: import { spawn, spawnSync } from "node:child_process"; L10: import { closeSync, existsSync as existsSync2, mkdirSync, openSync, readFileSync, writeFileSync } from "node:fs"; ... L151: <script type="module"> L152: import { File, FileDiff } from "https://esm.sh/@pierre/diffs@1.2.10?bundle"; L153: ... L226: "CanvasFlow is strongest when the artifact becomes a focused review surface and not just a static page.", L227: `A native single-choice question should submit the final value: \`<form data-canvasflow-question="plan" onsubmit="event.preventDefault(); const choice = new FormData(event.currentT... L228: "A custom choice UI should make option buttons update local state, then use a separate Queue answer button with data-canvasflow-action to queue the final selected value.", ... L870: const ctx = { L871: baseDir: options.baseDir || process.cwd(), L872: confineDir,
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/cli.mjsView on unpkg · L8
8Detached bundled service listener: dist/cli.mjs launches a Node helper and exposes a broad-bound HTTP listener. L8: // src/cli.js L9: import { spawn, spawnSync } from "node:child_process"; L10: import { closeSync, existsSync as existsSync2, mkdirSync, openSync, readFileSync, writeFileSync } from "node:fs"; ... L151: <script type="module"> L152: import { File, FileDiff } from "https://esm.sh/@pierre/diffs@1.2.10?bundle"; L153: ... L226: "CanvasFlow is strongest when the artifact becomes a focused review surface and not just a static page.", L227: `A native single-choice question should submit the final value: \`<form data-canvasflow-question="plan" onsubmit="event.preventDefault(); const choice = new FormData(event.currentT... L228: "A custom choice UI should make option buttons update local state, then use a separate Queue answer button with data-canvasflow-action to queue the final selected value.", ... L870: const ctx = { L871: baseDir: options.baseDir || process.cwd(), L872: confineDir,
High
Spawned Bundled Service Listener

Source launches a detached bundled service that exposes a broad-bound HTTP listener.

dist/cli.mjsView on unpkg · L8

Findings

5 High3 Medium4 Low
HighChild Processdist/cli.mjs
HighShelldist/cli.mjs
HighSame File Env Network Executiondist/cli.mjs
HighCross File Remote Execution Contextdist/cli.mjs
HighSpawned Bundled Service Listenerdist/cli.mjs
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings