registry  /  @principal-ai/principal-view-cli  /  0.31.1

@principal-ai/principal-view-cli@0.31.1

Principal View CLI - Validate and manage .canvas configuration files

Static Scan Results

scanned 2d ago · by rust-scanner

Static analysis flagged 15 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 50 file(s), 814 KB of source, external domains: api.github.com, app.principal-ade.com, github.com, lucide.dev, opentelemetry.io, refactoring.guru, www.typescriptlang.org
Oversized source lightweight scan
dist/index.cjs12.0 MB file, sampled 256 KB
FilesystemNetworkChildProcessEnvironmentVarsHighEntropyStringsUrlStringsapp.principal-ade.comrefactoring.guruwww.typescriptlang.org

Source & flagged code

7 flagged · loading source
dist/commands/trail.jsView file
68patternName = generic_password severity = medium line = 68 matchedText = const to...m();
Medium
Secret Pattern

Package contains a possible secret pattern.

dist/commands/trail.jsView on unpkg · L68
dist/lib/open-url.jsView file
9*/ L10: import { spawn } from 'node:child_process'; L11: export function openInBrowser(url) {
High
Child Process

Package source references child process execution.

dist/lib/open-url.jsView on unpkg · L9
dist/commands/hooks.jsView file
4* This command installs/removes pre-commit hooks into a target project L5: * that will run `npx @principal-ai/principal-view-cli doctor` and `npx @principal-ai/principal-view-cli validate` before each commit. L6: */ ... L10: import chalk from 'chalk'; L11: import { execSync } from 'node:child_process'; L12: const HUSKY_DIR = '.husky';
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/commands/hooks.jsView on unpkg · L4
dist/index.cjsView file
path = dist/index.cjs kind = oversized_source_file sizeBytes = 12540351 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/index.cjsView on unpkg
path = dist/index.cjs kind = oversized_cli_entrypoint sizeBytes = 12540351 magicHex = [redacted]
Medium
Oversized Cli Entrypoint

Package contains an oversized executable-looking CLI entrypoint.

dist/index.cjsView on unpkg
dist/commands/inbox.jsView file
37patternName = generic_password severity = medium line = 37 matchedText = const to...m();
Medium
Secret Pattern

Hardcoded password in dist/commands/inbox.js

dist/commands/inbox.jsView on unpkg · L37
dist/commands/topic.jsView file
47patternName = generic_password severity = medium line = 47 matchedText = const to...m();
Medium
Secret Pattern

Hardcoded password in dist/commands/topic.js

dist/commands/topic.jsView on unpkg · L47

Findings

4 High7 Medium4 Low
HighChild Processdist/lib/open-url.js
HighShell
HighRuntime Package Installdist/commands/hooks.js
HighOversized Source Filedist/index.cjs
MediumSecret Patterndist/commands/trail.js
MediumNetwork
MediumEnvironment Vars
MediumOversized Cli Entrypointdist/index.cjs
MediumStructural Risk Force Deep Review
MediumSecret Patterndist/commands/inbox.js
MediumSecret Patterndist/commands/topic.js
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings