registry  /  @munchfile/cli  /  0.6.2

@munchfile/cli@0.6.2

MunchFile CLI — watch local files, share live URLs.

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 11 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 50 file(s), 196 KB of source, external domains: 127.0.0.1, api.github.com, api.munchfile.com, app.munchfile.com, github.com, munchfile.com, registry.npmjs.org, view.munchfile.com

Source & flagged code

2 flagged · loading source
dist/daemon/autostart.jsView file
9import path from 'path'; L10: import { execFileSync } from 'child_process'; L11: import { buildSpawnArgs, buildChildEnv } from './process.js'; ... L13: const LAUNCHD_LABEL = 'dev.munchfile.daemon'; L14: const LAUNCHD_PLIST_PATH = path.join(os.homedir(), 'Library', 'LaunchAgents', 'dev.munchfile.daemon.plist'); L15: const SYSTEMD_UNIT_NAME = 'munchfile.service'; L16: const SYSTEMD_UNIT_DIR = path.join(process.env.XDG_CONFIG_HOME ?? path.join(os.homedir(), '.config'), 'systemd', 'user'); L17: const SYSTEMD_UNIT_PATH = path.join(SYSTEMD_UNIT_DIR, SYSTEMD_UNIT_NAME); L18: const LAUNCHCTL = '/bin/launchctl'; L19: const SYSTEMCTL = '/usr/bin/systemctl'; ... L23: export function detectPlatform() { L24: if (process.platform === 'darwin')
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/daemon/autostart.jsView on unpkg · L9
dist/daemon/watch-core.jsView file
26package = @munchfile/cli; repositoryIdentity = munchfile; dependency = @munchfile/watch-core-native L26: try { L27: const native = await import('@munchfile/watch-core-native'); L28: nativeCtor = native.WatchCore;
High
Copied Package Dependency Bridge

Package metadata claims a different repository identity while copied source loads a runtime dependency bridge.

dist/daemon/watch-core.jsView on unpkg · L26

Findings

1 High4 Medium6 Low
HighCopied Package Dependency Bridgedist/daemon/watch-core.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/daemon/autostart.js
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings