registry  /  @objectstack/cli  /  11.10.0

@objectstack/cli@11.10.0

Command Line Interface for ObjectStack Protocol

Static Scan Results

scanned 1d ago · by rust-scanner

Static analysis flagged 14 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 89 file(s), 789 KB of source, external domains: api.example.com, cdn.example.com, cloud.objectos.ai, github.com, nodejs.org, objectstack.dev, schema.objectstack.io

Source & flagged code

6 flagged · loading source
dist/commands/generate.jsView file
537patternName = generic_password severity = medium line = 537 matchedText = password...5)',
Medium
Secret Pattern

Package contains a possible secret pattern.

dist/commands/generate.jsView on unpkg · L537
dist/utils/auth-flows.jsView file
39async function openBrowser(url) { L40: const { exec } = await import('node:child_process'); L41: const platform = process.platform;
High
Child Process

Package source references child process execution.

dist/utils/auth-flows.jsView on unpkg · L39
46: `xdg-open "${url}"`; L47: exec(cmd, () => { L48: /* best-effort */ ... L54: export async function loginWithBrowser(url, opts = {}) { L55: const clientId = opts.clientId ?? process.env.OS_CLI_CLIENT_ID ?? 'objectstack-cli'; L56: const silent = !!opts.silent; L57: // RFC 8628 §3.1 — Device Authorization Request L58: const res = await globalThis.fetch(`${url}/api/v1/auth/device/code`, { L59: method: 'POST',
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/utils/auth-flows.jsView on unpkg · L46
dist/utils/extract-hook-body.jsView file
35{ rx: /\bglobalThis\s*\./, reason: '`globalThis` access is not allowed in hook/action bodies' }, L36: { rx: /\beval\s*\(/, reason: '`eval()` is not allowed in hook/action bodies' }, L37: { rx: /\bnew\s+Function\s*\(/, reason: '`new Function()` is not allowed in hook/action bodies' },
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/utils/extract-hook-body.jsView on unpkg · L35
dist/commands/serve.jsView file
59try { L60: mod = await import('@objectstack/observability'); L61: }
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/commands/serve.jsView on unpkg · L59
dist/commands/login.jsView file
6import * as readline from 'node:readline/promises'; L7: import { stdin as input, stdout as output } from 'node:process'; L8: /** ... L20: const chars = []; L21: process.stdout.write(promptText); L22: process.stdin.setRawMode(true); ... L62: async function openBrowser(url) { L63: const { exec } = await import('node:child_process'); L64: const platform = process.platform; L65: const cmd = platform === 'darwin' ? `open "${url}"` : platform === 'win32' ? `start "" "${url}"` : `xdg-open "${url}"`; ... L71: '$ os login', L72: '$ os login --url https://api.example.com',
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/commands/login.jsView on unpkg · L6

Findings

4 High5 Medium5 Low
HighChild Processdist/utils/auth-flows.js
HighShell
HighSame File Env Network Executiondist/utils/auth-flows.js
HighSandbox Evasion Gated Capabilitydist/commands/login.js
MediumSecret Patterndist/commands/generate.js
MediumDynamic Requiredist/commands/serve.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowEvaldist/utils/extract-hook-body.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings