registry  /  @nitra/cursor  /  13.4.1

@nitra/cursor@13.4.1

⚠ Under review

CLI для завантаження cursor-правил (префікс n-) у локальний репозиторій

Static Scan Results

scanned 3d ago · by rust-scanner

Static analysis flagged 14 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNativeBindingsNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 289 file(s), 1.75 MB of source, external domains: api.github.com, blueoakcouncil.org, brew.sh, bun.com, datreeio.github.io, git.io, github.com, json.schemastore.org, kubernetes.io, pypi.org, raw.githubusercontent.com, registry.npmjs.org, scoop.sh, unpkg.com

Source & flagged code

7 flagged · loading source
bin/n-cursor.jsView file
62L63: import { spawnSync } from 'node:child_process' L64: import { existsSync } from 'node:fs'
High
Child Process

Package source references child process execution.

bin/n-cursor.jsView on unpkg · L62
scripts/skills-cli.mjsView file
44function isBinaryInPath(name) { L45: const probe = spawnSync('command', ['-v', name], { shell: true, encoding: 'utf8' }) L46: return probe.status === 0
High
Shell

Package source references shell execution.

scripts/skills-cli.mjsView on unpkg · L44
scripts/lib/lint-surface/run-fix.mjsView file
9* ВИКЛЮЧНО canonical re-detect. Worker не володіє rollback/tier/ladder — лише один attempt. L10: * @typedef {import('./types.mjs').LintContext} LintContext L11: * @typedef {import('./types.mjs').LintViolation} LintViolation
Medium
Dynamic Require

Package source references dynamic require/import behavior.

scripts/lib/lint-surface/run-fix.mjsView on unpkg · L9
rules/image-compress/check/main.mjsView file
29L30: const r = spawnSync('npx', ['@nitra/minify-image', '--src=.', '--json'], { L31: cwd,
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

rules/image-compress/check/main.mjsView on unpkg · L29
.claude-template/hooks/normalize-decisions.shView file
path = .claude-template/hooks/normalize-decisions.sh kind = payload_in_excluded_dir sizeBytes = 23833 magicHex = [redacted]
High
Payload In Excluded Dir

Package hides binary, compressed, or executable-looking payloads in test/fixture/hidden paths.

.claude-template/hooks/normalize-decisions.shView on unpkg
path = .claude-template/hooks/normalize-decisions.sh kind = build_helper sizeBytes = 23833 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

.claude-template/hooks/normalize-decisions.shView on unpkg
rules/changelog/consistency/main.mjsView file
matchType = previous_version_dangerous_delta matchedPackage = @nitra/cursor@13.2.2 matchedIdentity = npm:QG5pdHJhL2N1cnNvcg:13.2.2 similarity = 0.492 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version.

rules/changelog/consistency/main.mjsView on unpkg

Findings

1 Critical4 High5 Medium4 Low
CriticalPrevious Version Dangerous Deltarules/changelog/consistency/main.mjs
HighChild Processbin/n-cursor.js
HighShellscripts/skills-cli.mjs
HighRuntime Package Installrules/image-compress/check/main.mjs
HighPayload In Excluded Dir.claude-template/hooks/normalize-decisions.sh
MediumDynamic Requirescripts/lib/lint-surface/run-fix.mjs
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helper.claude-template/hooks/normalize-decisions.sh
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings