registry  /  @playlist-tech/enterprise-skills  /  1.5.14-enterprise.5

@playlist-tech/enterprise-skills@1.5.14-enterprise.5

An enterprise-customizable fork of Vercel Labs' skills CLI for internal skill registries.

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 11 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
WildcardDependency
scanned 10 file(s), 454 KB of source, external domains: add-skill.vercel.sh, api.github.com, example.com, github.com, gitlab.com, raw.githubusercontent.com, schemas.agentskills.io, skills.sh

Source & flagged code

2 flagged · loading source
dist/_chunks/libs/simple-git.mjsView file
4import { Buffer as Buffer$1 } from "node:buffer"; L5: import { spawn } from "child_process"; L6: import { normalize } from "node:path";
High
Child Process

Package source references child process execution.

dist/_chunks/libs/simple-git.mjsView on unpkg · L4
dist/cli.mjsView file
17Cross-file remote execution chain: dist/cli.mjs spawns dist/_chunks/libs/simple-git.mjs; helper contains network access plus dynamic code execution. L17: import { promisify } from "util"; L18: import { execFile, execSync, spawn, spawnSync } from "child_process"; L19: import { access, cp, lstat, mkdir, mkdtemp, readFile, readdir, readlink, realpath, rm, stat, symlink, writeFile } from "fs/promises"; ... L22: import { createHash as createHash$1 } from "node:crypto"; L23: import { gunzipSync, inflateRawSync } from "node:zlib"; L24: var import_picocolors = /* @__PURE__ */ __toESM(require_picocolors(), 1); ... L41: } L42: if (!parsed.url.startsWith("http://") && !parsed.url.startsWith("https://")) return null; L43: try { ... L61: if (!res.ok) return "unknown"; L62: return (await res.json()).private === true ? "private" : "public"; L63: } catch {
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/cli.mjsView on unpkg · L17

Findings

3 High3 Medium5 Low
HighChild Processdist/_chunks/libs/simple-git.mjs
HighShell
HighCross File Remote Execution Contextdist/cli.mjs
MediumNetwork
MediumEnvironment Vars
MediumWildcard Dependency
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings