registry  /  @mx-space/cli  /  0.13.3

@mx-space/cli@0.13.3

Command line interface for mx-space (mx-core) — auth, content, configuration

Static Scan Results

scanned 3d ago · by rust-scanner

Static analysis flagged 16 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
CopyleftLicense
scanned 43 file(s), 5.25 MB of source, external domains: base-ui.com, blog.example.com, developer.mozilla.org, dom.spec.whatwg.org, esm.sh, github.com, html.spec.whatwg.org, image.tmdb.org, lexical.dev, react.dev, registry.npmjs.org, t.me, twitter.com, www.w3.org, www.zhihu.com
Oversized source lightweight scan
dist/vendor/litexml/litexml-html-preview-client.js8.51 MB file, sampled 256 KB
NetworkDynamicRequireHighEntropyStringsUrlStringsbase-ui.comesm.shgithub.comimage.tmdb.orglexical.devreact.devt.metwitter.comwww.w3.orgwww.zhihu.com

Source & flagged code

8 flagged · loading source
dist/mxs-zPvjkoNC.mjsView file
32056stdio: "inherit", L32057: shell: true L32058: });
High
Shell

Package source references shell execution.

dist/mxs-zPvjkoNC.mjsView on unpkg · L32056
5Cross-file remote execution chain: dist/mxs-zPvjkoNC.mjs spawns dist/esm-BNu4sUWV.mjs; helper contains network access plus dynamic code execution. L5: import { createRequire } from "node:module"; L6: import * as ChildProcess from "node:child_process"; L7: import childProcess, { execFile, spawn } from "node:child_process"; ... L20: import l__default from "node:readline"; L21: import * as Http from "node:http"; L22: import * as Https from "node:https"; ... L26: import fs$1, { constants, readFile } from "node:fs/promises"; L27: import process$1, { stdin, stdout } from "node:process"; L28: //#region ../../node_modules/.pnpm/@effect+platform@0.96.2_effect@3.21.4/node_modules/@effect/platform/dist/esm/Error.js ... L114: readFileString: (path, encoding) => tryMap(impl.readFile(path), { L115: try: (_) => new TextDecoder(encoding).decode(_), L116: catch: (cause) => new BadArgument({
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/mxs-zPvjkoNC.mjsView on unpkg · L5
18576patternName = generic_password severity = medium line = 18576 matchedText = password...d]",
Medium
Secret Pattern

Package contains a possible secret pattern.

dist/mxs-zPvjkoNC.mjsView on unpkg · L18576
bin/mxs.cjsView file
3const { join } = require('node:path') L4: const { spawnSync } = require('node:child_process') L5:
High
Child Process

Package source references child process execution.

bin/mxs.cjsView on unpkg · L3
1#!/usr/bin/env node L2: const { existsSync } = require('node:fs') L3: const { join } = require('node:path')
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/mxs.cjsView on unpkg · L1
dist/esm-BNu4sUWV.mjsView file
11225prop: "value", L11226: eval(fiber) { L11227: const cont = fiber.getCont(successCont);
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/esm-BNu4sUWV.mjsView on unpkg · L11225
dist/vendor/litexml/litexml-html-preview-client.jsView file
path = dist/vendor/litexml/litexml-html-preview-client.js kind = oversized_source_file sizeBytes = 8928594 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/vendor/litexml/litexml-html-preview-client.jsView on unpkg
dist/vendor/litexml/cli.mjsView file
17175patternName = generic_password severity = medium line = 17175 matchedText = password...d]",
Medium
Secret Pattern

Hardcoded password in dist/vendor/litexml/cli.mjs

dist/vendor/litexml/cli.mjsView on unpkg · L17175

Findings

4 High6 Medium6 Low
HighChild Processbin/mxs.cjs
HighShelldist/mxs-zPvjkoNC.mjs
HighCross File Remote Execution Contextdist/mxs-zPvjkoNC.mjs
HighOversized Source Filedist/vendor/litexml/litexml-html-preview-client.js
MediumSecret Patterndist/mxs-zPvjkoNC.mjs
MediumDynamic Requirebin/mxs.cjs
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
MediumSecret Patterndist/vendor/litexml/cli.mjs
LowScripts Present
LowEvaldist/esm-BNu4sUWV.mjs
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowCopyleft License