registry  /  @quantum-ai/roo-code-cli  /  0.2.4

@quantum-ai/roo-code-cli@0.2.4

Static Scan Results

scanned 3d ago · by rust-scanner

Static analysis flagged 11 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 2 file(s), 735 KB of source, external domains: api.github.com, api.minimax.io, api.minimaxi.com, api.moonshot.ai, api.moonshot.cn, fireworks.ai, platform.minimax.io, raw.githubusercontent.com

Source & flagged code

4 flagged · loading source
apps/cli/dist/index.jsView file
20114// src/commands/cli/upgrade.ts L20115: import { spawn } from "child_process"; L20116: var RELEASES_URL = "https://api.github.com/repos/RooCodeInc/Roo-Code/releases?per_page=100";
High
Child Process

Package source references child process execution.

apps/cli/dist/index.jsView on unpkg · L20114
4803terminalCommandDelay: z9.number().optional(), L4804: terminalPowershellCounter: z9.boolean().optional(), L4805: terminalZshClearEolMark: z9.boolean().optional(),
High
Shell

Package source references shell execution.

apps/cli/dist/index.jsView on unpkg · L4803
163]).optional(), L164: codebaseIndexEmbedderBaseUrl: z2.string().optional(), L165: codebaseIndexEmbedderModelId: z2.string().optional(), ... L12850: if (fs.existsSync(candidate)) { L12851: const packageJson = JSON.parse(fs.readFileSync(candidate, "utf-8")); L12852: return packageJson.version; ... L20114: // src/commands/cli/upgrade.ts L20115: import { spawn } from "child_process"; L20116: var RELEASES_URL = "https://api.github.com/repos/RooCodeInc/Roo-Code/releases?per_page=100";
High
Remote Agent Bridge

Source exposes local file and command tools to a remote model endpoint.

apps/cli/dist/index.jsView on unpkg · L163
10}; L11: var __commonJS = (cb, mod) => function __require() { L12: return mod || (0, cb[__getOwnPropNames(cb)[0]])((mod = { exports: {} }).exports, mod), mod.exports;
Medium
Dynamic Require

Package source references dynamic require/import behavior.

apps/cli/dist/index.jsView on unpkg · L10

Findings

3 High3 Medium5 Low
HighChild Processapps/cli/dist/index.js
HighShellapps/cli/dist/index.js
HighRemote Agent Bridgeapps/cli/dist/index.js
MediumDynamic Requireapps/cli/dist/index.js
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License