registry  /  @openprd/cli  /  0.1.21

@openprd/cli@0.1.21

AI-native PRD workspace and lifecycle CLI

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 11 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 139 file(s), 2.79 MB of source, external domains: commons.wikimedia.org, context7.com, docs.devin.ai, esm.sh, github.com, lobehub.com, mcp.context7.com, mcp.deepwiki.com, openprd.local, phosphoricons.com, techicons.dev, www.iconfont.cn, www.thiings.co, www.w3.org

Source & flagged code

4 flagged · loading source
scripts/openprd-codex-isolated-worker.mjsView file
3import crypto from 'node:crypto'; L4: import { spawn, spawnSync } from 'node:child_process'; L5: import fs from 'node:fs/promises';
High
Child Process

Package source references child process execution.

scripts/openprd-codex-isolated-worker.mjsView on unpkg · L3
src/self-update.jsView file
219const command = process.platform === 'win32' ? 'where openprd' : 'command -v openprd'; L220: const result = await runProcess(command, [], { shell: true }); L221: const executable = result.stdout.split(/\r?\n/).map((line) => line.trim()).find(Boolean) ?? null;
High
Shell

Package source references shell execution.

src/self-update.jsView on unpkg · L219
src/learning-review.jsView file
376...ws, L377: data: { L378: ...ws.data, ... L1325: ' assets/', L1326: ' learning-package.json', L1327: ' learning-content.json',
Low
Weak Crypto

Package source references weak cryptographic algorithms.

src/learning-review.jsView on unpkg · L376
src/canvas-workspace.jsView file
25Cross-file remote execution chain: src/canvas-workspace.js spawns src/canvas-app.html.js; helper contains network access plus dynamic code execution. L25: import { createReadStream } from 'node:fs'; L26: import http from 'node:http'; L27: import os from 'node:os'; L28: import path from 'node:path'; L29: import { spawn } from 'node:child_process'; L30: import { fileURLToPath } from 'node:url'; ... L87: }); L88: res.end(JSON.stringify(payload, null, 2)); L89: } ... L111: } L112: const text = Buffer.concat(chunks).toString('utf8'); L113: if (!text.trim()) {
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

src/canvas-workspace.jsView on unpkg · L25

Findings

3 High2 Medium6 Low
HighChild Processscripts/openprd-codex-isolated-worker.mjs
HighShellsrc/self-update.js
HighCross File Remote Execution Contextsrc/canvas-workspace.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowWeak Cryptosrc/learning-review.js
LowFilesystem
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings