registry  /  @mocoto/mahoraga  /  0.14.4

@mocoto/mahoraga@0.14.4

C.L.I modular para análise, diagnóstico e manutenção de projetos JavaScript/TypeScript e multi-stack leve

Static Scan Results

scanned 10h ago · by rust-scanner

Static analysis flagged 13 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 1,166 file(s), 3.84 MB of source, external domains: api.github.com, discord.js.org, expressjs.com, github.com, nextjs.org, nodejs.org, raw.githubusercontent.com, react.dev, telegraf.js.org, turborepo.org, www.electronjs.org, www.typescriptlang.org, www.w3.org

Source & flagged code

5 flagged · loading source
dist/core/messages/ja/core/plugin-messages.jsView file
210evalUsage: 'eval() が検出されました。eval の使用は避けてください - セキュリティ脆弱性。', L211: execUsage: 'exec() が検出されました。exec の使用は避けてください - セキュリティ脆弱性。', L212: subprocessShellTrue: 'shell=True の subprocess が検出されました。コマンドインジェクションのリスク。引数リストと shell=False を優先してください。',
High
Child Process

Package source references child process execution.

dist/core/messages/ja/core/plugin-messages.jsView on unpkg · L210
209printInsteadOfLog: 'print() が検出されました。本番環境では logging モジュールを優先してください。', L210: evalUsage: 'eval() が検出されました。eval の使用は避けてください - セキュリティ脆弱性。', L211: execUsage: 'exec() が検出されました。exec の使用は避けてください - セキュリティ脆弱性。',
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/core/messages/ja/core/plugin-messages.jsView on unpkg · L209
dist/core/utils/import-safe.jsView file
15// permite que o chamador capture exceções do plugin L16: return import(resolvido.caminho); L17: }
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/core/utils/import-safe.jsView on unpkg · L15
dist/core/execution/executor.jsView file
1// SPDX-License-Identifier: MIT L2: import crypto from 'node:crypto';
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/core/execution/executor.jsView on unpkg · L1
dist/licenses/generate-notices.jsView file
111try { L112: const { stdout } = await execFile('npx', ['--yes', 'license-checker-rseidelsohn', '--production', '--json'], { L113: cwd: root,
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/licenses/generate-notices.jsView on unpkg · L111

Findings

3 High4 Medium6 Low
HighChild Processdist/core/messages/ja/core/plugin-messages.js
HighShell
HighRuntime Package Installdist/licenses/generate-notices.js
MediumDynamic Requiredist/core/utils/import-safe.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowEvaldist/core/messages/ja/core/plugin-messages.js
LowWeak Cryptodist/core/execution/executor.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings