registry  /  @quantum-ai/gemini-cli  /  0.45.4

@quantum-ai/gemini-cli@0.45.4

Old version - please upgrade to 0.45.12 or later.

Gemini CLI

Static Scan Results

scanned 7d ago · by rust-scanner

Static analysis flagged 12 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 1,026 file(s), 8.55 MB of source, external domains: 127.0.0.1, accounts.google.com, actual.example.com, admin-mcp.com, admin-server-a.com, admin-server-c.com, ai.google.dev, aistudio.google.com, allowed.com, antigravity.google, api.example.com, api.github.com, asset.url, avatar.com, bing.com, cloud.google.com, default.env.com, default.example.com, developers.google.com, example.com, gemini.env.com, gemini.proxy, geminicli.com, github.com, gitlab.com, goo.gle, google.com, internal.bug-tracker.com, mcp.corp, my-git-host.com, new-source.com, not.link, notallowed.com, play.googleapis.com, policies.google.com, raw.githubusercontent.com, remote.com, settings.com, some.git, somehost.com, tarball.url, test-server.com, test.com, vertex.proxy, www.google.co.jp, www.w3.org, www.youtube.com, xn--tst-qla.com, xn--xample-2of.com, yahoo.com

Source & flagged code

4 flagged · loading source
dist/src/utils/gitUtils.test.jsView file
62patternName = github_pat severity = critical line = 62 matchedText = vi.mocke...t');
Critical
Critical Secret

Package contains a critical-looking secret pattern.

dist/src/utils/gitUtils.test.jsView on unpkg · L62
62patternName = github_pat severity = critical line = 62 matchedText = vi.mocke...t');
Critical
Secret Pattern

GitHub personal access token in dist/src/utils/gitUtils.test.js

dist/src/utils/gitUtils.test.jsView on unpkg · L62
66patternName = github_fine_grained severity = critical line = 66 matchedText = vi.mocke...t');
Critical
Secret Pattern

GitHub fine-grained PAT in dist/src/utils/gitUtils.test.js

dist/src/utils/gitUtils.test.jsView on unpkg · L66
dist/src/commands/gemma/setup.jsView file
8import path from 'node:path'; L9: import { execFileSync, spawn as nodeSpawn } from 'node:child_process'; L10: import chalk from 'chalk'; ... L22: input: process.stdin, L23: output: process.stdout, L24: }); ... L46: const pctStr = (pct * 100).toFixed(0).padStart(3); L47: process.stderr.write(`\r [${bar}] ${pctStr}% ${formatBytes(downloaded)} / ${formatBytes(total)}`); L48: } ... L57: } L58: const response = await fetch(url, { redirect: 'follow' }); L59: if (!response.ok) {
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/src/commands/gemma/setup.jsView on unpkg · L8

Findings

3 Critical1 High3 Medium5 Low
CriticalCritical Secretdist/src/utils/gitUtils.test.js
CriticalSecret Patterndist/src/utils/gitUtils.test.js
CriticalSecret Patterndist/src/utils/gitUtils.test.js
HighSandbox Evasion Gated Capabilitydist/src/commands/gemma/setup.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings