registry  /  @oneie/cli  /  4.0.0

@oneie/cli@4.0.0

⚠ Under review

ONE agent CLI

Static Scan Results

scanned 4h ago · by rust-scanner

Static analysis flagged 12 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 44 file(s), 221 KB of source, external domains: agentverse.ai, api.anthropic.com, api.github.com, api.one.ie, channels.one.ie, one.ie, pay.one.ie

Source & flagged code

2 flagged · loading source
dist/src/skill.jsView file
74.description('Import a skill from URL, npm, or github shorthand') L75: .option('--slug <slug>', 'Owner slug', process.env.ONEIE_SLUG ?? 'local') L76: .option('--price <usd>', 'Price USD', '0.02') ... L79: .action(async (ref, opts) => { L80: const keyFile = resolve(homedir(), '.config', 'oneie', 'key'); L81: const token = process.env.ONEIE_API_KEY ?? (existsSync(keyFile) ? readFileSync(keyFile, 'utf8').trim() : ''); ... L85: } L86: const baseUrl = process.env.ONEIE_BASE_URL ?? 'https://one.ie'; L87: try { ... L90: headers: { 'Content-Type': 'application/json', Authorization: `Bearer ${token}` }, L91: body: JSON.stringify({ ref, slug: opts.slug, price: Number(opts.price), name: opts.name }), L92: });
High
Credential Exfiltration

Source combines credential-like environment material and outbound requests; review data flow before blocking.

dist/src/skill.jsView on unpkg · L74
dist/src/plugin.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @oneie/cli@0.6.0 matchedIdentity = npm:QG9uZWllL2NsaQ:0.6.0 similarity = 0.462 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/src/plugin.jsView on unpkg

Findings

1 Critical1 High4 Medium6 Low
CriticalPrevious Version Dangerous Deltadist/src/plugin.js
HighCredential Exfiltrationdist/src/skill.js
MediumDynamic Require
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License