registry  /  @raisindb/cli  /  0.1.54

@raisindb/cli@0.1.54

Interactive CLI for RaisinDB with Ink-based terminal UI

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 18 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 101 file(s), 739 KB of source, external domains: a.example, api.dropbox.com, api.dropboxapi.com, api.example.com, api.github.com, api.groq.com, app.example.com, b.example, cdn.example.com, github.com, raisindb.com, x.example

Source & flagged code

11 flagged · loading source
dist/commands/server.jsView file
6import { Writable } from 'stream'; L7: import { spawn } from 'child_process'; L8: import { createWriteStream } from 'fs';
High
Child Process

Package source references child process execution.

dist/commands/server.jsView on unpkg · L6
141return new Promise((resolve, reject) => { L142: const child = spawn('powershell', ['-Command', `Expand-Archive -Path '${archive}' -DestinationPath '${targetDir}' -Force`], { stdio: 'ignore' }); L143: child.on('error', reject);
High
Shell

Package source references shell execution.

dist/commands/server.jsView on unpkg · L141
dist/flow/load.jsView file
88/** L89: * Extract `workflow_data:` / `workflowData =` object literals from a JS L90: * source file without executing the module. The literal is evaluated in an
Medium
Unsafe Vm Context

Package source executes code through a VM context API.

dist/flow/load.jsView on unpkg · L88
dist/wasm/schema-validator.jsView file
19package = @raisindb/cli; repositoryIdentity = raisindb; dependency = @raisindb/schema-wasm L19: // Dynamic import of the WASM module (nodejs target - no async init needed) L20: wasmModule = await import('@raisindb/schema-wasm'); L21: // Initialize panic hooks
High
Copied Package Dependency Bridge

Package metadata claims a different repository identity while copied source loads a runtime dependency bridge.

dist/wasm/schema-validator.jsView on unpkg · L19
dist/commands/init.jsView file
38try { L39: execSync('npx skills add maravilla-labs/raisindb/packages/raisindb-skills', { L40: cwd: targetDir,
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/commands/init.jsView on unpkg · L38
dist/commands/admin-commands.test.jsView file
198patternName = generic_password severity = medium line = 198 matchedText = await us...pl);
Medium
Secret Pattern

Hardcoded password in dist/commands/admin-commands.test.js

dist/commands/admin-commands.test.jsView on unpkg · L198
202patternName = generic_password severity = medium line = 202 matchedText = password...5!',
Medium
Secret Pattern

Hardcoded password in dist/commands/admin-commands.test.js

dist/commands/admin-commands.test.jsView on unpkg · L202
217patternName = generic_password severity = medium line = 217 matchedText = await us...pl);
Medium
Secret Pattern

Hardcoded password in dist/commands/admin-commands.test.js

dist/commands/admin-commands.test.jsView on unpkg · L217
219patternName = generic_password severity = medium line = 219 matchedText = expect(c... });
Medium
Secret Pattern

Hardcoded password in dist/commands/admin-commands.test.js

dist/commands/admin-commands.test.jsView on unpkg · L219
225patternName = generic_password severity = medium line = 225 matchedText = await ex...s/);
Medium
Secret Pattern

Hardcoded password in dist/commands/admin-commands.test.js

dist/commands/admin-commands.test.jsView on unpkg · L225
229patternName = generic_password severity = medium line = 229 matchedText = await ex...d();
Medium
Secret Pattern

Hardcoded password in dist/commands/admin-commands.test.js

dist/commands/admin-commands.test.jsView on unpkg · L229

Findings

4 High10 Medium4 Low
HighChild Processdist/commands/server.js
HighShelldist/commands/server.js
HighCopied Package Dependency Bridgedist/wasm/schema-validator.js
HighRuntime Package Installdist/commands/init.js
MediumUnsafe Vm Contextdist/flow/load.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
MediumSecret Patterndist/commands/admin-commands.test.js
MediumSecret Patterndist/commands/admin-commands.test.js
MediumSecret Patterndist/commands/admin-commands.test.js
MediumSecret Patterndist/commands/admin-commands.test.js
MediumSecret Patterndist/commands/admin-commands.test.js
MediumSecret Patterndist/commands/admin-commands.test.js
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings