registry  /  @pentoshi/clai  /  2.0.27

@pentoshi/clai@2.0.27

A fast, cross-platform AI CLI assistant with ask and agent modes for shell tasks, file operations, and cybersecurity workflows.

Static Scan Results

scanned 15d ago · by rust-scanner

Static analysis flagged 10 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNativeBindingsNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 113 file(s), 1.11 MB of source, external domains: agentrouter.org, api.anthropic.com, api.github.com, api.groq.com, api.openai.com, bedrock-mantle.ap-south-1.api.aws, example.com, generativelanguage.googleapis.com, github.com, html.duckduckgo.com, integrate.api.nvidia.com, llm.kimchi.dev, openrouter.ai, router.bynara.id

Source & flagged code

2 flagged · loading source
dist/store/keys.jsView file
34try { L35: const imported = (await import(keychainModuleName)); L36: cachedKeytar = imported.default ?? imported;
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/store/keys.jsView on unpkg · L34
dist/tools/web/ssrf-guard.jsView file
2* SSRF guard — classifies an address (or a hostname literal) as belonging L3: * to a private/loopback/link-local/cloud-metadata/CGNAT range. L4: * ... L19: */ L20: import net from "node:net"; L21: /** ... L23: * `http:` or `https:`. Returns `false` for any other scheme (including L24: * `ftp:`, `file:`, `data:`, `javascript:`, `gopher:`), for empty strings, L25: * for malformed inputs that fail `new URL()` parsing, and for non-string
High
Cloud Metadata Access

Source reaches cloud instance metadata or link-local credential endpoints.

dist/tools/web/ssrf-guard.jsView on unpkg · L2

Findings

1 High4 Medium5 Low
HighCloud Metadata Accessdist/tools/web/ssrf-guard.js
MediumDynamic Requiredist/store/keys.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings