registry  /  @paparats/cli  /  1.7.4

@paparats/cli@1.7.4

CLI for Paparats MCP - semantic code search with AST chunking, symbol graph, and vector search for AI coding assistants

Static Scan Results

scanned 1d ago · by rust-scanner

Static analysis flagged 14 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 15 file(s), 157 KB of source, external domains: docker.com, docs.docker.com, host.docker.internal, huggingface.co, www.apple.com, www.yamllint.com

Source & flagged code

5 flagged · loading source
dist/commands/edit.jsView file
1import { Command } from 'commander'; L2: import { spawnSync } from 'child_process'; L3: import fs from 'fs';
High
Child Process

Package source references child process execution.

dist/commands/edit.jsView on unpkg · L1
dist/commands/install.jsView file
4import os from 'os'; L5: import { execSync, spawn } from 'child_process'; L6: import chalk from 'chalk'; ... L17: const CODE_MODEL_NAME = 'jina-code-embeddings'; L18: const CODE_GGUF_URL = 'https://huggingface.co/jinaai/jina-code-embeddings-1.5b-GGUF/resolve/main/jina-code-embeddings-1.5b-Q8_0.gguf'; L19: const CODE_GGUF_FILE = path.join(MODELS_DIR, 'jina-code-embeddings-1.5b-Q8_0.gguf'); ... L24: try { L25: const command = process.platform === 'win32' ? `where ${cmd}` : `command -v ${cmd}`; L26: execSync(command, { stdio: 'ignore', timeout: 3000 }); ... L101: } L102: const buffer = await response.arrayBuffer(); L103: fs.writeFileSync(dest, Buffer.from(buffer));
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/commands/install.jsView on unpkg · L4
4import os from 'os'; L5: import { execSync, spawn } from 'child_process'; L6: import chalk from 'chalk'; ... L17: const CODE_MODEL_NAME = 'jina-code-embeddings'; L18: const CODE_GGUF_URL = 'https://huggingface.co/jinaai/jina-code-embeddings-1.5b-GGUF/resolve/main/jina-code-embeddings-1.5b-Q8_0.gguf'; L19: const CODE_GGUF_FILE = path.join(MODELS_DIR, 'jina-code-embeddings-1.5b-Q8_0.gguf'); ... L24: try { L25: const command = process.platform === 'win32' ? `where ${cmd}` : `command -v ${cmd}`; L26: execSync(command, { stdio: 'ignore', timeout: 3000 }); ... L101: } L102: const buffer = await response.arrayBuffer(); L103: fs.writeFileSync(dest, Buffer.from(buffer));
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/commands/install.jsView on unpkg · L4
dist/commands/doctor.jsView file
25try { L26: execSync('docker compose version', { stdio: 'ignore', timeout: 3000 }); L27: return true; ... L37: // Resolve config for URLs/models L38: const qdrantUrl = process.env.QDRANT_URL ?? 'http://localhost:6333'; L39: const embedUrl = process.env.EMBED_URL ?? 'http://localhost:11434';
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/commands/doctor.jsView on unpkg · L25
dist/commands/update.jsView file
172try { L173: exec(`npm install -g ${NPM_PACKAGE}@latest`, { L174: stdio: opts.verbose ? 'inherit' : ['pipe', 'pipe', 'pipe'],
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/commands/update.jsView on unpkg · L172

Findings

5 High4 Medium5 Low
HighChild Processdist/commands/edit.js
HighShell
HighSame File Env Network Executiondist/commands/doctor.js
HighSandbox Evasion Gated Capabilitydist/commands/install.js
HighRuntime Package Installdist/commands/update.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/commands/install.js
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings