registry  /  @pondoknusa/cli  /  2.0.4

@pondoknusa/cli@2.0.4

The Pondoknusa command-line interface

Static Scan Results

scanned 20h ago · by rust-scanner

Static analysis flagged 9 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 119 file(s), 332 KB of source, external domains: 127.0.0.1, api.example.com, files.your-domain.example, github.com, gitlab.com, pondoknusa.dev, provider.example, your-domain.example

Source & flagged code

2 flagged · loading source
dist/cluster-launcher.jsView file
16async function runWorker() { L17: await import(pathToFileURL(clusterEntry).href); L18: }
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/cluster-launcher.jsView on unpkg · L16
dist/commands/shell.jsView file
8package = @pondoknusa/cli; repositoryIdentity = pondoknusa; dependency = @pondoknusa/repl L8: try { L9: const { startRepl } = await import('@pondoknusa/repl'); L10: return startRepl(projectRoot);
High
Copied Package Dependency Bridge

Package metadata claims a different repository identity while copied source loads a runtime dependency bridge.

dist/commands/shell.jsView on unpkg · L8

Findings

1 High4 Medium4 Low
HighCopied Package Dependency Bridgedist/commands/shell.js
MediumDynamic Requiredist/cluster-launcher.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings