Static Scan Results
scanned 4h ago · by rust-scannerStatic analysis flagged 12 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Decision evidence
public snapshotBehavioral surface
ChildProcessDynamicRequireEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
NoLicense
Source & flagged code
2 flagged · loading sourcedist/src/skill.jsView file
74.description('Import a skill from URL, npm, or github shorthand')
L75: .option('--slug <slug>', 'Owner slug', process.env.ONEIE_SLUG ?? 'local')
L76: .option('--price <usd>', 'Price USD', '0.02')
...
L79: .action(async (ref, opts) => {
L80: const keyFile = resolve(homedir(), '.config', 'oneie', 'key');
L81: const token = process.env.ONEIE_API_KEY ?? (existsSync(keyFile) ? readFileSync(keyFile, 'utf8').trim() : '');
...
L85: }
L86: const baseUrl = process.env.ONEIE_BASE_URL ?? 'https://one.ie';
L87: try {
...
L90: headers: { 'Content-Type': 'application/json', Authorization: `Bearer ${token}` },
L91: body: JSON.stringify({ ref, slug: opts.slug, price: Number(opts.price), name: opts.name }),
L92: });
High
Credential Exfiltration
Source combines credential-like environment material and outbound requests; review data flow before blocking.
dist/src/skill.jsView on unpkg · L74dist/src/plugin.jsView file
•matchType = previous_version_dangerous_delta
matchedPackage = @oneie/cli@0.6.0
matchedIdentity = npm:QG9uZWllL2NsaQ:0.6.0
similarity = 0.462
summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta
This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/src/plugin.jsView on unpkgFindings
1 Critical1 High4 Medium6 Low
CriticalPrevious Version Dangerous Deltadist/src/plugin.js
HighCredential Exfiltrationdist/src/skill.js
MediumDynamic Require
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License