registry  /  @pimmesz/afterburner  /  2.11.0

@pimmesz/afterburner@2.11.0

Convert idle AI-subscription quota (Claude or Codex) into shippable engineering work: budget-aware trigger, bounded task selection, PR-only output.

Static Scan Results

scanned 8d ago · by rust-scanner

Static analysis flagged 12 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 4 file(s), 395 KB of source, external domains: api.telegram.org, crontab.guru, git-scm.com, github.com, nodejs.org, ntfy.sh, registry.npmjs.org, www.apple.com

Source & flagged code

5 flagged · loading source
dist/cli/index.jsView file
325// src/cli/commands/auth.ts L326: import { spawn } from "child_process"; L327: import { createInterface } from "readline";
High
Child Process

Package source references child process execution.

dist/cli/index.jsView on unpkg · L325
2850if (platform === "win32") { L2851: return { name: "notify", ok: true, detail: "desktop banners via PowerShell toast" }; L2852: }
High
Shell

Package source references shell execution.

dist/cli/index.jsView on unpkg · L2850
2850if (platform === "win32") { L2851: return { name: "notify", ok: true, detail: "desktop banners via PowerShell toast" }; L2852: } ... L2860: function checkNtfy(config) { L2861: const hasToken = !!process.env.AFTERBURNER_NTFY_TOKEN; L2862: const server = config.notify.ntfy.server; L2863: if (hasToken && !server.startsWith("https://")) { L2864: return {
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/cli/index.jsView on unpkg · L2850
2709const results = []; L2710: const version = spawnSync("claude", ["--version"], { encoding: "utf8" }); L2711: if (version.status !== 0) { ... L2715: detail: "claude-code engine selected but the `claude` CLI is not on PATH", L2716: fix: "Install Claude Code: `npm install -g @anthropic-ai/claude-code`, then run `claude /login`." L2717: });
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/cli/index.jsView on unpkg · L2709
69L70: // package.json L71: var package_default = { ... L116: type: "git", L117: url: "git+https://github.com/pimmesz/afterburner.git" L118: }, ... L155: // src/cli/ui.ts L156: var noColor = !!process.env.NO_COLOR || process.env.TERM === "dumb"; L157: var fancy = process.stdout.isTTY === true && !noColor; L158: var fancyErr = process.stderr.isTTY === true && !noColor; L159: var canAnimate = fancyErr && !process.env.CI; L160: var paint = (enabled) => (open2, close) => (s) => enabled ? `\x1B[${open2}m${s}\x1B[${close}m` : s;
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/cli/index.jsView on unpkg · L69

Findings

4 High4 Medium4 Low
HighChild Processdist/cli/index.js
HighShelldist/cli/index.js
HighSame File Env Network Executiondist/cli/index.js
HighRuntime Package Installdist/cli/index.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/cli/index.js
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings