registry  /  @proofkit/cli  /  3.0.2

@proofkit/cli@3.0.2

⚠ Under review

Interactive CLI to scaffold and manage ProofKit projects

Static Scan Results

scanned 1h ago · by rust-scanner

Static analysis flagged 16 finding(s) at 86.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsEvalFilesystemNetwork
Supply chain
HighEntropyStringsMinifiedProtestwareUrlStrings
ManifestNo manifest risk signals triggered.
scanned 215 file(s), 1.83 MB of source, external domains: 127.0.0.1, api.pwnedpasswords.com, create.t3.gg, dotenvx.com, downloads.ottomatic.cloud, github.com, json-schema.org, ottomatic.cloud, pnpm.io, proof.sh, proofkit.proof.sh, raw.githubusercontent.com, www.w3.org
Oversized source lightweight scan
dist/mcp-CTrK90xI.js3.58 MB file, sampled 256 KB
ChildProcessEnvironmentVarsMinifiedUrlStringsjson-schema.orgwww.w3.org

Source & flagged code

6 flagged · loading source
bin/proofkit.cjsView file
5const path = require("node:path"); L6: const { spawnSync } = require("node:child_process"); L7:
High
Child Process

Package source references child process execution.

bin/proofkit.cjsView on unpkg · L5
5Cross-file remote execution chain: bin/proofkit.cjs spawns dist/index.js; helper contains network access plus dynamic code execution. L5: const path = require("node:path"); L6: const { spawnSync } = require("node:child_process"); L7: ... L26: env: { L27: ...process.env, L28: PROOFKIT_PKG_ROOT: path.resolve(__dirname, ".."), L29: }, ... L43: if (process.env.PROOFKIT_DISABLE_BUNDLED_BINARY !== "1") { L44: const binaryName = BINARIES[process.platform]?.[process.arch]; L45: if (binaryName) {
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

bin/proofkit.cjsView on unpkg · L5
dist/install-fm-addon-CJt415Nv.jsView file
1import{i as e,n as t,r as n,t as r}from"./rolldown-runtime-DSjMdhoD.js";import{t as i}from"./graceful-fs-VGVzJ4T0.js";import{n as a}from"./open-CrTh9DTC.js";import o from"node:path... L2: `:` ... L4: `,i)}while(r!==-1);return a+=e.slice(i),a}const{stdout:ie,stderr:R}=ne,z=Symbol(`GENERATOR`),B=Symbol(`STYLER`),V=Symbol(`IS_EMPTY`),ae=[`ansi`,`ansi`,`ansi256`,`ansi16m`],oe=Objec... L5: `);return a!==-1&&(t=re(t,i,r,a)),r+t+i};Object.defineProperties(ue.prototype,oe);const ge=ue();ue({level:R?R.level:0});var _e=r(((e,t)=>{t.exports={name:`dotenv`,version:`16.6.1`,... L6: `);let r;for(;(r=c.exec(n))!=null;){let e=r[1],n=r[2]||``;n=n.trim();let i=n[0];n=n.replace(/^(['"`])([\s\S]*)\1$/gm,`$2`),i===`"`&&(n=n.replace(/\\n/g,` L7: `),n=n.replace(/\\r/g,`\r`)),t[e]=n}return t}function u(e){e||={};let t=g(e);e.path=t;let n=C.configDotenv(e);if(!n.parsed){let e=Error(`MISSING_DATA: Cannot parse ${t} for an unkn... L8: ... L49: `,t+1),i=r===-1?``:n.slice(r+1);String(e.stack).endsWith(i)||(e.stack+=` L50: `+n)}}catch{}}throw e}}_request(e,t){typeof e==`string`?(t||={},t.url=e):t=e||{},t=Ma(this.defaults,t);let{transitional:n,paramsSerializer:r,headers:i}=t;n!==void 0&&ao.assertOptio...
Critical
Remote Asset Decode Execute

Source fetches a remote non-code asset, decodes its contents, and dynamically executes the decoded payload.

dist/install-fm-addon-CJt415Nv.jsView on unpkg · L1
Trigger-reachable chain: manifest.exports -> dist/index.js -> dist/install-fm-addon-CJt415Nv.js Reachable file contains a blocking source-risk pattern.
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/install-fm-addon-CJt415Nv.jsView on unpkg
template/extras/start-database/postgres.shView file
path = template/extras/start-database/postgres.sh kind = build_helper sizeBytes = 1941 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

template/extras/start-database/postgres.shView on unpkg
dist/mcp-CTrK90xI.jsView file
path = dist/mcp-CTrK90xI.js kind = oversized_source_file sizeBytes = 3752937 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/mcp-CTrK90xI.jsView on unpkg

Findings

2 Critical3 High5 Medium6 Low
CriticalRemote Asset Decode Executedist/install-fm-addon-CJt415Nv.js
CriticalTrigger Reachable Dangerous Capabilitydist/install-fm-addon-CJt415Nv.js
HighChild Processbin/proofkit.cjs
HighCross File Remote Execution Contextbin/proofkit.cjs
HighOversized Source Filedist/mcp-CTrK90xI.js
MediumNetwork
MediumEnvironment Vars
MediumProtestware
MediumShips Build Helpertemplate/extras/start-database/postgres.sh
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEval
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings