registry  /  @playdrop/playdrop-cli  /  0.12.6

@playdrop/playdrop-cli@0.12.6

Official Playdrop CLI for publishing browser games, creator apps, and AI-generated game assets on playdrop.ai

Static Scan Results

scanned 37m ago · by rust-scanner

Static analysis flagged 13 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 83 file(s), 1.39 MB of source, external domains: 127.0.0.1, ai.blue.playdrop.ai, ai.green.playdrop.ai, ai.localhost, ai.playdrop.ai, ai.preview.playdrop.ai, api.blue.playdrop.ai, api.green.playdrop.ai, api.openai.com, api.playdrop.ai, api.preview.playdrop.ai, assets-local.playdrop.ai, assets.playdrop.ai, blue.playdrop.ai, github.com, green.playdrop.ai, playdrop.ai, preview.playdrop.ai, raw.githubusercontent.com, slack.com, www.localhost, www.playdrop.ai, www.w3.org

Source & flagged code

4 flagged · loading source
dist/playwright.jsView file
67let customLoader = null; L68: const nativeImport = new Function('specifier', 'return import(specifier);'); L69: function setPlaywrightLoader(loader) {
High
Eval

Package source references dynamic code evaluation.

dist/playwright.jsView on unpkg · L67
dist/apiClient.jsView file
5exports.createCliAiClient = createCliAiClient; L6: const api_client_1 = require("@playdrop/api-client"); L7: const ai_client_1 = require("@playdrop/ai-client");
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/apiClient.jsView on unpkg · L5
dist/commands/worker.jsView file
5Object.defineProperty(exports, "__esModule", { value: true }); L6: exports.WORKER_CONTEXT_COMMAND_NOT_ALLOWED_MESSAGE = exports.WORKER_SESSION_EXPIRED_MESSAGE = exports.runLoggedProcess = exports.readEnvBoolean = exports.readCodexSandboxMode = exp... L7: exports.allocateWorkerDevPort = allocateWorkerDevPort; ... L113: const WORKER_TRANSCRIPT_CHUNK_BATCH_SIZE = 100; L114: const SLACK_API_BASE_URL = 'https://slack.com/api'; L115: const WORKER_WRAPPER_CONTRACT_VERSION = 1; ... L377: } L378: function resolveWorkerHomeDir() { L379: const custom = node_process_1.default.env.PLAYDROP_WORKER_HOME?.trim(); ... L507: const file = findWorkspaceTaskFile(startDir, 'task.json'); L508: const parsed = JSON.parse((0, node_fs_1.readFileSync)(file, 'utf8')); L509: const taskId = Number(parsed.taskId);
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/commands/worker.jsView on unpkg · L5
dist/commands/clients.jsView file
14const node_path_1 = require("node:path"); L15: const node_child_process_1 = require("node:child_process"); L16: const output_1 = require("../output"); ... L18: const MAC_APP_PATH = '/Applications/PlayDrop.app'; L19: const MAC_CLIENT_LATEST_URL = 'https://www.playdrop.ai/api/mac-client/latest'; L20: const WINDOWS_CLIENT_EXECUTABLE = 'PlayDrop.exe'; ... L33: async function getClientStatus(options = {}) { L34: const platform = options.platform ?? process.platform; L35: if (platform === 'win32') { ... L78: console.error(WINDOWS_CLIENT_INSTALL_HINT); L79: process.exitCode = 1; L80: return;
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/commands/clients.jsView on unpkg · L14

Findings

2 High5 Medium6 Low
HighEvaldist/playwright.js
HighSandbox Evasion Gated Capabilitydist/commands/clients.js
MediumDynamic Requiredist/apiClient.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/commands/worker.js
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License