registry  /  @opencodehub/cli  /  0.10.8

@opencodehub/cli@0.10.8

OpenCodeHub — codehub CLI (analyze, setup, mcp, list, status, clean, query, context, impact, sql)

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 12 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 67 file(s), 1.50 MB of source, external domains: cyclonedx.org, docs.astral.sh, dotnet.microsoft.com, git-scm.com, github.com, in-toto.io, opencodehub.dev, repo1.maven.org

Source & flagged code

6 flagged · loading source
dist/doctor-FS4YNQ2E.jsView file
140try { L141: const mod = await import("node:sqlite"); L142: const DatabaseSync = mod.DatabaseSync;
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/doctor-FS4YNQ2E.jsView on unpkg · L140
dist/chunk-IZKCCDTF.jsView file
22import { homedir as homedir6 } from "node:os"; L23: import { dirname as dirname4, join as join4, resolve as resolve6 } from "node:path"; L24: import { fileURLToPath as fileURLToPath2 } from "node:url"; ... L26: // src/cobol-proleap-setup.ts L27: import { spawn } from "node:child_process"; L28: import { statSync } from "node:fs"; ... L50: }); L51: let stdout = ""; L52: let stderr = ""; ... L211: function defaultVendorDir(home) { L212: return join(home ?? homedir(), ".codehub", "vendor", "proleap"); L213: }
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/chunk-IZKCCDTF.jsView on unpkg · L22
dist/chunk-CJW3KSEV.jsView file
343package = @opencodehub/cli; repositoryIdentity = opencodehub; dependency = @chonkiejs/core L343: async function defaultLoadChonkie() { L344: const mod = await import("@chonkiejs/core"); L345: let version;
High
Copied Package Dependency Bridge

Package metadata claims a different repository identity while copied source loads a runtime dependency bridge.

dist/chunk-CJW3KSEV.jsView on unpkg · L343
dist/vendor/wasms/tree-sitter-go.wasmView file
path = dist/vendor/wasms/tree-sitter-go.wasm kind = wasm_module sizeBytes = 217182 magicHex = [redacted]
Medium
Ships Wasm Module

Package ships WebAssembly modules.

dist/vendor/wasms/tree-sitter-go.wasmView on unpkg
dist/plugin-assets/hooks/docs-staleness.shView file
path = dist/plugin-assets/hooks/docs-staleness.sh kind = build_helper sizeBytes = 1580 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

dist/plugin-assets/hooks/docs-staleness.shView on unpkg
dist/variance-probe-NZL42YXR.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @opencodehub/cli@0.10.6 matchedIdentity = npm:QG9wZW5jb2RlaHViL2NsaQ:0.10.6 similarity = 0.773 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/variance-probe-NZL42YXR.jsView on unpkg

Findings

3 High5 Medium4 Low
HighSandbox Evasion Gated Capabilitydist/chunk-IZKCCDTF.js
HighCopied Package Dependency Bridgedist/chunk-CJW3KSEV.js
HighPrevious Version Dangerous Deltadist/variance-probe-NZL42YXR.js
MediumDynamic Requiredist/doctor-FS4YNQ2E.js
MediumEnvironment Vars
MediumShips Wasm Moduledist/vendor/wasms/tree-sitter-go.wasm
MediumShips Build Helperdist/plugin-assets/hooks/docs-staleness.sh
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings