registry  /  @nitra/cursor  /  14.8.1

@nitra/cursor@14.8.1

CLI для завантаження cursor-правил (префікс n-) у локальний репозиторій

Static Scan Results

scanned 8h ago · by rust-scanner

Static analysis flagged 13 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNativeBindingsNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 240 file(s), 1.81 MB of source, external domains: api.github.com, blueoakcouncil.org, brew.sh, bun.com, datreeio.github.io, git.io, github.com, json.schemastore.org, kubernetes.io, pypi.org, raw.githubusercontent.com, registry.npmjs.org, scoop.sh, unpkg.com

Source & flagged code

6 flagged · loading source
bin/n-cursor.jsView file
62L63: import { spawnSync } from 'node:child_process' L64: import { existsSync } from 'node:fs'
High
Child Process

Package source references child process execution.

bin/n-cursor.jsView on unpkg · L62
scripts/skills-cli.mjsView file
44function isBinaryInPath(name) { L45: const probe = spawnSync('command', ['-v', name], { shell: true, encoding: 'utf8' }) L46: return probe.status === 0
High
Shell

Package source references shell execution.

scripts/skills-cli.mjsView on unpkg · L44
scripts/lib/lint-surface/run-fix.mjsView file
9* ВИКЛЮЧНО canonical re-detect. Worker не володіє rollback/tier/ladder — лише один attempt. L10: * @typedef {import('./types.mjs').LintContext} LintContext L11: * @typedef {import('./types.mjs').LintViolation} LintViolation
Medium
Dynamic Require

Package source references dynamic require/import behavior.

scripts/lib/lint-surface/run-fix.mjsView on unpkg · L9
rules/image-compress/check/main.mjsView file
29L30: const r = spawnSync('npx', ['@nitra/minify-image', '--src=.', '--json'], { L31: cwd,
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

rules/image-compress/check/main.mjsView on unpkg · L29
.claude-template/hooks/normalize-decisions.shView file
path = .claude-template/hooks/normalize-decisions.sh kind = payload_in_excluded_dir sizeBytes = 24528 magicHex = [redacted]
High
Payload In Excluded Dir

Package hides binary, compressed, or executable-looking payloads in test/fixture/hidden paths.

.claude-template/hooks/normalize-decisions.shView on unpkg
path = .claude-template/hooks/normalize-decisions.sh kind = build_helper sizeBytes = 24528 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

.claude-template/hooks/normalize-decisions.shView on unpkg

Findings

4 High5 Medium4 Low
HighChild Processbin/n-cursor.js
HighShellscripts/skills-cli.mjs
HighRuntime Package Installrules/image-compress/check/main.mjs
HighPayload In Excluded Dir.claude-template/hooks/normalize-decisions.sh
MediumDynamic Requirescripts/lib/lint-surface/run-fix.mjs
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helper.claude-template/hooks/normalize-decisions.sh
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings