registry  /  @neetru/cli  /  2.12.22

@neetru/cli@2.12.22

Neetru Developer Kit — scaffold, AI assistant, publish, build e deploy de produtos SaaS Neetru via Core (VM-based agents)

Static Scan Results

scanned 8d ago · by rust-scanner

Static analysis flagged 14 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 105 file(s), 954 KB of source, external domains: api.groq.com, api.neetru.com, cloud.google.com, core.neetru.com, deb.nodesource.com, generativelanguage.googleapis.com, get.docker.com, git-scm.com, github.com, integrate.api.nvidia.com, minhaconta.neetru.com, neetru.com, registry.npmjs.org, sdk.cloud.google.com, storage.googleapis.com

Source & flagged code

6 flagged · loading source
dist/lib/db-pipeline/rehearse.jsView file
68patternName = generic_password severity = medium line = 68 matchedText = password...ev',
Medium
Secret Pattern

Package contains a possible secret pattern.

dist/lib/db-pipeline/rehearse.jsView on unpkg · L68
73patternName = generic_password severity = medium line = 73 matchedText = password...ev',
Medium
Secret Pattern

Hardcoded password in dist/lib/db-pipeline/rehearse.js

dist/lib/db-pipeline/rehearse.jsView on unpkg · L73
dist/lib/ai/auth-discovery.jsView file
18*/ L19: import { execSync, execFileSync } from 'node:child_process'; L20: import { existsSync, readFileSync } from 'node:fs';
High
Child Process

Package source references child process execution.

dist/lib/ai/auth-discovery.jsView on unpkg · L18
284try { L285: execSync(`npm install -g ${npmPackage}`, { stdio: 'inherit' }); L286: return true;
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/lib/ai/auth-discovery.jsView on unpkg · L284
dist/commands/build.jsView file
216* Detecta se um script npm usa prefixo de variável de ambiente no estilo Unix L217: * (ex: `NODE_ENV=production next build`) que é incompatível com cmd.exe. L218: *
High
Shell

Package source references shell execution.

dist/commands/build.jsView on unpkg · L216
dist/commands/bootstrap.jsView file
8* 1. Verifica binários do sistema (Node, npm, git, gcloud, docker, firebase). L9: * 2. Pra deps Node críticas — auto-install no `cwd` se há `package.json`. L10: * 3. Pra binários do SO — NÃO auto-install (risco em máquinas variadas); ... L24: */ L25: import { spawn, spawnSync } from 'node:child_process'; L26: import * as fsSync from 'node:fs'; ... L36: return null; L37: const out = (r.stdout || r.stderr || '').trim(); L38: // Pega a primeira string que parece versão semver (X.Y.Z) ... L61: return null; L62: const p = process.platform; L63: return installCmd[p] ?? installCmd.linux ?? null;
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/commands/bootstrap.jsView on unpkg · L8

Findings

4 High5 Medium5 Low
HighChild Processdist/lib/ai/auth-discovery.js
HighShelldist/commands/build.js
HighSandbox Evasion Gated Capabilitydist/commands/bootstrap.js
HighRuntime Package Installdist/lib/ai/auth-discovery.js
MediumSecret Patterndist/lib/db-pipeline/rehearse.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
MediumSecret Patterndist/lib/db-pipeline/rehearse.js
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings