registry  /  @polka-codes/cli  /  0.11.0

@polka-codes/cli@0.11.0

[![npm version](https://img.shields.io/npm/v/@polka-codes/cli.svg)](https://www.npmjs.com/package/@polka-codes/cli) [![npm downloads](https://img.shields.io/npm/dm/@polka-codes/cli.svg)](https://www.npmjs.com/package/@polka-codes/cli) [![License](https://

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 16 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
CopyleftLicense
scanned 1 file(s), 687 KB of source, external domains: cli.github.com, github.com, openrouter.ai, polka.codes
Oversized source lightweight scan
dist/bin.cjs4.70 MB file, sampled 256 KB
FilesystemChildProcessEnvironmentVarsCryptoDynamicRequireHighEntropyStringsUrlStringsgithub.com

Source & flagged code

8 flagged · loading source
dist/index.jsView file
1516// src/workflows/workflow.utils.ts L1517: import { execSync } from "node:child_process"; L1518: import { promises as fs } from "node:fs";
High
Child Process

Package source references child process execution.

dist/index.jsView on unpkg · L1516
1947return new Promise((resolve, reject) => { L1948: const child = input3.shell === true ? input3.args && input3.args.length > 0 ? spawn(input3.command, input3.args, { shell: true, stdio: "pipe" }) : spawn(input3.command, { shell: tr... L1949: shell: false,
High
Shell

Package source references shell execution.

dist/index.jsView on unpkg · L1947
336apiKey: config.apiKey, L337: baseURL: config.baseUrl, L338: fetch: fetchOverride ... L1516: // src/workflows/workflow.utils.ts L1517: import { execSync } from "node:child_process"; L1518: import { promises as fs } from "node:fs"; ... L3277: L3278: Available tools: git_diff, readFile, readBinaryFile, searchFiles, listFiles. L3279: Do not use executeCommand or shell commands. Do not inspect node_modules, vendor, or other dependency directories. ... L10009: const template = generateSkillTemplate(name); L10010: writeFileSync(join11(skillDir, "SKILL.md"), template); L10011: logger.info(`Created SKILL.md`);
High
Remote Agent Bridge

Source exposes local file and command tools to a remote model endpoint.

dist/index.jsView on unpkg · L336
16var __esm = (fn, res) => () => (fn && (res = fn(fn = 0)), res); L17: var __require = /* @__PURE__ */ createRequire(import.meta.url); L18:
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/index.jsView on unpkg · L16
6871regex: /eval\s*\(/, L6872: type: "Unsafe eval() usage", L6873: severity: 800 /* HIGH */
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/index.jsView on unpkg · L6871
dist/sql-wasm.wasmView file
path = dist/sql-wasm.wasm kind = wasm_module sizeBytes = 659730 magicHex = [redacted]
Medium
Ships Wasm Module

Package ships WebAssembly modules.

dist/sql-wasm.wasmView on unpkg
dist/bin.cjsView file
path = dist/bin.cjs kind = oversized_source_file sizeBytes = 4928982 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/bin.cjsView on unpkg
path = dist/bin.cjs kind = oversized_cli_entrypoint sizeBytes = 4928982 magicHex = [redacted]
Medium
Oversized Cli Entrypoint

Package contains an oversized executable-looking CLI entrypoint.

dist/bin.cjsView on unpkg

Findings

4 High6 Medium6 Low
HighChild Processdist/index.js
HighShelldist/index.js
HighRemote Agent Bridgedist/index.js
HighOversized Source Filedist/bin.cjs
MediumDynamic Requiredist/index.js
MediumNetwork
MediumEnvironment Vars
MediumShips Wasm Moduledist/sql-wasm.wasm
MediumOversized Cli Entrypointdist/bin.cjs
MediumStructural Risk Force Deep Review
LowScripts Present
LowEvaldist/index.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowCopyleft License