registry  /  @qaecy/cue-cli  /  0.0.50

@qaecy/cue-cli@0.0.50

Cue CLI for QAECY platform

Static Scan Results

scanned 12d ago · by rust-scanner

Static analysis flagged 12 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 4 file(s), 530 KB of source, external domains: 10.0.3.120, 4dx.embl.de, a9.com, abs.270a.info, academic-meta-tool.xyz, accessors-api-gateway-ueyeemwf2a-oa.a.run.app, activitypods.org, advene.org, aers.data2semantics.org, agrinepaldata.com, aims.fao.org, akonadi-project.org, aksw.org, aleth.io, animaldiversity.org, annotation.semanticweb.org, api.bloomberg.com, api.hyprdia.com, api.ohdsi.org, app.korfin.de, archaeology.link, archdesc.info, archivo.dbpedia.org, art.uniroma2.it, assemblee-virtuelle.github.io, atomowl.org, auto.schema.org, automotive.eurecom.fr, awesemantic-geo.link, awslabs.github.io, babelnet.org, bag.basisregistraties.overheid.nl, bag2.basisregistraties.overheid.nl, bblfish.net, beer.com, betalinkeddata.cbs.nl, bg.dbpedia.org, bgt.basisregistraties.overheid.nl, bibliograph.net, biglinkeddata.com, bihap.kb.gov.tr, bing.com, bio2rdf.org, bioentity.io, biohackathon.org, bioinformatics.ua.pt, bioportal.bioontology.org, bioschemas.org, bis.270a.info, blogs.yandex.ru

Source & flagged code

5 flagged · loading source
main.jsView file
404patternName = google_api_key severity = high line = 404 matchedText = apiKey: ...Lk",
High
High Secret

Package contains a high-severity secret pattern.

main.jsView on unpkg · L404
404patternName = google_api_key severity = high line = 404 matchedText = apiKey: ...Lk",
High
Secret Pattern

Google API key in main.js

main.jsView on unpkg · L404
5112patternName = google_api_key severity = high line = 5112 matchedText = apiKey: ...l0",
High
Secret Pattern

Google API key in main.js

main.jsView on unpkg · L5112
hash-worker.jsView file
1// apps/desktop/cue-cli/src/hash-worker.js L2: var { parentPort } = require("worker_threads"); L3: var { createReadStream } = require("fs");
Medium
Dynamic Require

Package source references dynamic require/import behavior.

hash-worker.jsView on unpkg · L1
assets/wasm/dir_scanner_wasm_bg.wasmView file
path = assets/wasm/dir_scanner_wasm_bg.wasm kind = wasm_module sizeBytes = 380698 magicHex = [redacted]
Medium
Ships Wasm Module

Package ships WebAssembly modules.

assets/wasm/dir_scanner_wasm_bg.wasmView on unpkg

Findings

3 High5 Medium4 Low
HighHigh Secretmain.js
HighSecret Patternmain.js
HighSecret Patternmain.js
MediumDynamic Requirehash-worker.js
MediumNetwork
MediumEnvironment Vars
MediumShips Wasm Moduleassets/wasm/dir_scanner_wasm_bg.wasm
MediumStructural Risk Force Deep Review
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License