registry  /  @rulemetric/cli  /  0.5.2

@rulemetric/cli@0.5.2

The RuleMetric CLI. Manages instructions, sessions, evals, and (as of the user-management release) organizations.

Static Scan Results

scanned 5d ago · by rust-scanner

Static analysis flagged 14 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 221 file(s), 677 KB of source, external domains: rulemetric.com, www.apple.com

Source & flagged code

6 flagged · loading source
dist/chunk-346TGPVR.jsView file
15// src/lib/setup-steps.ts L16: import { execSync } from "node:child_process"; L17: import { existsSync, readFileSync } from "node:fs";
High
Child Process

Package source references child process execution.

dist/chunk-346TGPVR.jsView on unpkg · L15
100function runCommand(cmd) { L101: execSync(cmd, { stdio: "inherit" }); L102: } ... L106: title: "Install the CLI", L107: command: "npm install -g @rulemetric/cli", L108: // Monotonic: the CLI must exist to produce any downstream signal, so it
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/chunk-346TGPVR.jsView on unpkg · L100
dist/commands/proxy/setup.jsView file
34description: "Shell to configure (auto-detected if omitted)", L35: options: ["zsh", "bash", "fish", "powershell"] L36: }),
High
Shell

Package source references shell execution.

dist/commands/proxy/setup.jsView on unpkg · L34
dist/commands/evals/run.jsView file
49} L50: this.log(`Running ${evals.length} eval(s) for "${target.name}" v${target.version}`); L51: this.log(`Config: ${flags["runs-per-eval"]} run(s) per eval, parallel=${flags.parallel}, iteration=${flags.iteration}`);
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/commands/evals/run.jsView on unpkg · L49
dist/chunk-ANOWI23I.jsView file
1// src/lib/hooks-config.ts L2: import { execSync } from "node:child_process"; L3: import { existsSync, mkdirSync, readFileSync, writeFileSync, unlinkSync } from "node:fs"; ... L141: try { L142: existing = JSON.parse(readFileSync(configPath, "utf-8")); L143: } catch { ... L167: function writeCursorUserHooks() { L168: return writeCursorHooksToDir(join(homedir(), ".cursor")); L169: } ... L233: } L234: settings["http.proxy"] = `http://localhost:${gatewayPort}`; L235: settings["http.proxyStrictSSL"] = existsSync(certPath);
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/chunk-ANOWI23I.jsView on unpkg · L1
1// src/lib/hooks-config.ts L2: import { execSync } from "node:child_process"; L3: import { existsSync, mkdirSync, readFileSync, writeFileSync, unlinkSync } from "node:fs"; ... L141: try { L142: existing = JSON.parse(readFileSync(configPath, "utf-8")); L143: } catch { ... L167: function writeCursorUserHooks() { L168: return writeCursorHooksToDir(join(homedir(), ".cursor")); L169: } ... L233: } L234: settings["http.proxy"] = `http://localhost:${gatewayPort}`; L235: settings["http.proxyStrictSSL"] = existsSync(certPath);
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/chunk-ANOWI23I.jsView on unpkg · L1

Findings

4 High4 Medium6 Low
HighChild Processdist/chunk-346TGPVR.js
HighShelldist/commands/proxy/setup.js
HighSandbox Evasion Gated Capabilitydist/chunk-ANOWI23I.js
HighRuntime Package Installdist/chunk-346TGPVR.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/chunk-ANOWI23I.js
MediumStructural Risk Force Deep Review
LowScripts Present
LowEvaldist/commands/evals/run.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License