registry  /  @quantum-ai/roo-code-cli  /  0.2.7

@quantum-ai/roo-code-cli@0.2.7

Static Scan Results

scanned 2d ago · by rust-scanner

Static analysis flagged 14 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 4 file(s), 1.24 MB of source, external domains: api.github.com, api.minimax.io, api.minimaxi.com, api.moonshot.ai, api.moonshot.cn, dev.to, dotenvx.com, feross.org, fireworks.ai, github.com, jimmy.warting.se, platform.minimax.io, raw.githubusercontent.com, sheetjs.com, www.eliostruyf.com
Oversized source lightweight scan
apps/cli/extension/extension.js32.8 MB file, sampled 256 KB
FilesystemChildProcessEnvironmentVarsCryptoHighEntropyStringsUrlStringsdev.todotenvx.comfeross.orggithub.comjimmy.warting.sesheetjs.comwww.eliostruyf.com
apps/cli/extension/workers/countTokens.js2.28 MB file, sampled 256 KB
FilesystemChildProcessEvalShellHighEntropyStrings

Source & flagged code

6 flagged · loading source
apps/cli/dist/index.jsView file
20113// src/commands/cli/upgrade.ts L20114: import { spawn } from "child_process"; L20115: var RELEASES_URL = "https://api.github.com/repos/RooCodeInc/Roo-Code/releases?per_page=100";
High
Child Process

Package source references child process execution.

apps/cli/dist/index.jsView on unpkg · L20113
4803terminalCommandDelay: z9.number().optional(), L4804: terminalPowershellCounter: z9.boolean().optional(), L4805: terminalZshClearEolMark: z9.boolean().optional(),
High
Shell

Package source references shell execution.

apps/cli/dist/index.jsView on unpkg · L4803
163]).optional(), L164: codebaseIndexEmbedderBaseUrl: z2.string().optional(), L165: codebaseIndexEmbedderModelId: z2.string().optional(), ... L12850: if (fs.existsSync(candidate)) { L12851: const packageJson = JSON.parse(fs.readFileSync(candidate, "utf-8")); L12852: return packageJson.version; ... L20113: // src/commands/cli/upgrade.ts L20114: import { spawn } from "child_process"; L20115: var RELEASES_URL = "https://api.github.com/repos/RooCodeInc/Roo-Code/releases?per_page=100";
High
Remote Agent Bridge

Source exposes local file and command tools to a remote model endpoint.

apps/cli/dist/index.jsView on unpkg · L163
apps/cli/extension/wasm_exec_node.jsView file
12globalThis.require = require; L13: globalThis.fs = require("fs"); L14: globalThis.TextEncoder = require("util").TextEncoder;
Medium
Dynamic Require

Package source references dynamic require/import behavior.

apps/cli/extension/wasm_exec_node.jsView on unpkg · L12
apps/cli/extension/tree-sitter-elm.wasmView file
path = apps/cli/extension/tree-sitter-elm.wasm kind = wasm_module sizeBytes = 148886 magicHex = [redacted]
Medium
Ships Wasm Module

Package ships WebAssembly modules.

apps/cli/extension/tree-sitter-elm.wasmView on unpkg
apps/cli/extension/workers/countTokens.jsView file
path = [redacted].js kind = oversized_source_file sizeBytes = 2395419 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

apps/cli/extension/workers/countTokens.jsView on unpkg

Findings

4 High4 Medium6 Low
HighChild Processapps/cli/dist/index.js
HighShellapps/cli/dist/index.js
HighRemote Agent Bridgeapps/cli/dist/index.js
HighOversized Source Fileapps/cli/extension/workers/countTokens.js
MediumDynamic Requireapps/cli/extension/wasm_exec_node.js
MediumEnvironment Vars
MediumShips Wasm Moduleapps/cli/extension/tree-sitter-elm.wasm
MediumStructural Risk Force Deep Review
LowScripts Present
LowEval
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License