registry  /  @quantum-ai/roo-code-cli  /  0.2.9

@quantum-ai/roo-code-cli@0.2.9

Static Scan Results

scanned 2d ago · by rust-scanner

Static analysis flagged 14 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 4 file(s), 1.22 MB of source, external domains: api.github.com, api.minimax.io, api.minimaxi.com, api.moonshot.ai, api.moonshot.cn, dev.to, dotenvx.com, feross.org, fireworks.ai, github.com, jimmy.warting.se, platform.minimax.io, raw.githubusercontent.com, sheetjs.com, www.eliostruyf.com
Oversized source lightweight scan
apps/cli/extension/extension.js32.8 MB file, sampled 256 KB
FilesystemChildProcessEnvironmentVarsCryptoHighEntropyStringsUrlStringsdev.todotenvx.comfeross.orggithub.comjimmy.warting.sesheetjs.comwww.eliostruyf.com
apps/cli/extension/workers/countTokens.js2.28 MB file, sampled 256 KB
FilesystemChildProcessEvalShellHighEntropyStrings

Source & flagged code

5 flagged · loading source
apps/cli/dist/index.cjsView file
18703// src/commands/cli/upgrade.ts L18704: var import_child_process = require("child_process"); L18705: var RELEASES_URL = "https://api.github.com/repos/RooCodeInc/Roo-Code/releases?per_page=100";
High
Child Process

Package source references child process execution.

apps/cli/dist/index.cjsView on unpkg · L18703
160]).optional(), L161: codebaseIndexEmbedderBaseUrl: import_zod2.z.string().optional(), L162: codebaseIndexEmbedderModelId: import_zod2.z.string().optional(), ... L11436: if (import_fs.default.existsSync(candidate)) { L11437: const packageJson = JSON.parse(import_fs.default.readFileSync(candidate, "utf-8")); L11438: return packageJson.version; ... L18703: // src/commands/cli/upgrade.ts L18704: var import_child_process = require("child_process"); L18705: var RELEASES_URL = "https://api.github.com/repos/RooCodeInc/Roo-Code/releases?per_page=100";
High
Remote Agent Bridge

Source exposes local file and command tools to a remote model endpoint.

apps/cli/dist/index.cjsView on unpkg · L160
apps/cli/extension/wasm_exec_node.jsView file
12globalThis.require = require; L13: globalThis.fs = require("fs"); L14: globalThis.TextEncoder = require("util").TextEncoder;
Medium
Dynamic Require

Package source references dynamic require/import behavior.

apps/cli/extension/wasm_exec_node.jsView on unpkg · L12
apps/cli/extension/tree-sitter-elm.wasmView file
path = apps/cli/extension/tree-sitter-elm.wasm kind = wasm_module sizeBytes = 148886 magicHex = [redacted]
Medium
Ships Wasm Module

Package ships WebAssembly modules.

apps/cli/extension/tree-sitter-elm.wasmView on unpkg
apps/cli/extension/workers/countTokens.jsView file
path = [redacted].js kind = oversized_source_file sizeBytes = 2395419 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

apps/cli/extension/workers/countTokens.jsView on unpkg

Findings

4 High4 Medium6 Low
HighChild Processapps/cli/dist/index.cjs
HighShell
HighRemote Agent Bridgeapps/cli/dist/index.cjs
HighOversized Source Fileapps/cli/extension/workers/countTokens.js
MediumDynamic Requireapps/cli/extension/wasm_exec_node.js
MediumEnvironment Vars
MediumShips Wasm Moduleapps/cli/extension/tree-sitter-elm.wasm
MediumStructural Risk Force Deep Review
LowScripts Present
LowEval
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License