registry  /  @quantum-ai/roo-code-cli  /  0.4.0

@quantum-ai/roo-code-cli@0.4.0

This version is deprecated. Please upgrade to 0.4.9.

Roo Code CLI - Run the Roo Code agent from the command line

Static Scan Results

scanned 5h ago · by rust-scanner

Static analysis flagged 12 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 2 file(s), 1.58 MB of source, external domains: api.github.com, api.minimax.io, api.minimaxi.com, api.moonshot.ai, api.moonshot.cn, dotenvx.com, fireworks.ai, github.com, platform.minimax.io, raw.githubusercontent.com
Oversized source lightweight scan
extension/extension.js29.9 MB file, sampled 256 KB
FilesystemChildProcessEnvironmentVarsCryptoHighEntropyStringsUrlStringsdotenvx.comgithub.com

Source & flagged code

5 flagged · loading source
dist/index.jsView file
20198// src/cli/commands/cli/upgrade.ts L20199: import { spawn } from "child_process"; L20200: var RELEASES_URL = "https://api.github.com/repos/RooCodeInc/Roo-Code/releases?per_page=100";
High
Child Process

Package source references child process execution.

dist/index.jsView on unpkg · L20198
4804terminalCommandDelay: z9.number().optional(), L4805: terminalPowershellCounter: z9.boolean().optional(), L4806: terminalZshClearEolMark: z9.boolean().optional(),
High
Shell

Package source references shell execution.

dist/index.jsView on unpkg · L4804
163]).optional(), L164: codebaseIndexEmbedderBaseUrl: z2.string().optional(), L165: codebaseIndexEmbedderModelId: z2.string().optional(), ... L12920: if (fs.existsSync(candidate)) { L12921: const packageJson = JSON.parse(fs.readFileSync(candidate, "utf-8")); L12922: return packageJson.version; ... L20198: // src/cli/commands/cli/upgrade.ts L20199: import { spawn } from "child_process"; L20200: var RELEASES_URL = "https://api.github.com/repos/RooCodeInc/Roo-Code/releases?per_page=100";
High
Remote Agent Bridge

Source exposes local file and command tools to a remote model endpoint.

dist/index.jsView on unpkg · L163
10}; L11: var __commonJS = (cb, mod) => function __require() { L12: return mod || (0, cb[__getOwnPropNames(cb)[0]])((mod = { exports: {} }).exports, mod), mod.exports;
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/index.jsView on unpkg · L10
extension/extension.jsView file
path = extension/extension.js kind = oversized_source_file sizeBytes = 31325922 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

extension/extension.jsView on unpkg

Findings

4 High3 Medium5 Low
HighChild Processdist/index.js
HighShelldist/index.js
HighRemote Agent Bridgedist/index.js
HighOversized Source Fileextension/extension.js
MediumDynamic Requiredist/index.js
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License