registry  /  @quantum-ai/gemini-cli  /  0.45.7

@quantum-ai/gemini-cli@0.45.7

Old version - please upgrade to 0.45.12 or later.

Gemini CLI

Static Scan Results

scanned 6d ago · by rust-scanner

Static analysis flagged 9 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 565 file(s), 3.31 MB of source, external domains: ai.google.dev, aistudio.google.com, antigravity.google, api.github.com, cloud.google.com, developers.google.com, geminicli.com, github.com, goo.gle, policies.google.com, raw.githubusercontent.com, www.w3.org, www.youtube.com

Source & flagged code

1 flagged · loading source
dist/src/commands/gemma/setup.jsView file
8import path from 'node:path'; L9: import { execFileSync, spawn as nodeSpawn } from 'node:child_process'; L10: import chalk from 'chalk'; ... L22: input: process.stdin, L23: output: process.stdout, L24: }); ... L46: const pctStr = (pct * 100).toFixed(0).padStart(3); L47: process.stderr.write(`\r [${bar}] ${pctStr}% ${formatBytes(downloaded)} / ${formatBytes(total)}`); L48: } ... L57: } L58: const response = await fetch(url, { redirect: 'follow' }); L59: if (!response.ok) {
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/src/commands/gemma/setup.jsView on unpkg · L8

Findings

1 High3 Medium5 Low
HighSandbox Evasion Gated Capabilitydist/src/commands/gemma/setup.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings