registry  /  @rulemetric/cli  /  0.7.1

@rulemetric/cli@0.7.1

⚠ Under review

The RuleMetric CLI. Manages instructions, sessions, evals, and (as of the user-management release) organizations.

Static Scan Results

scanned 4h ago · by rust-scanner

Static analysis flagged 15 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 235 file(s), 733 KB of source, external domains: 127.0.0.1, rulemetric.com, www.apple.com

Source & flagged code

7 flagged · loading source
dist/chunk-Y4BJXXYV.jsView file
8// src/lib/worktree.ts L9: import { spawn } from "node:child_process"; L10: import fs from "node:fs";
High
Child Process

Package source references child process execution.

dist/chunk-Y4BJXXYV.jsView on unpkg · L8
dist/commands/proxy/setup.jsView file
35description: "Shell to configure (auto-detected if omitted)", L36: options: ["zsh", "bash", "fish", "powershell"] L37: }),
High
Shell

Package source references shell execution.

dist/commands/proxy/setup.jsView on unpkg · L35
dist/commands/evals/run.jsView file
50} L51: this.log(`Running ${evals.length} eval(s) for "${target.name}" v${target.version}`); L52: this.log(`Config: ${flags["runs-per-eval"]} run(s) per eval, parallel=${flags.parallel}, iteration=${flags.iteration}`);
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/commands/evals/run.jsView on unpkg · L50
dist/chunk-LXKPNATC.jsView file
5// src/lib/hooks-config.ts L6: import { execSync } from "node:child_process"; L7: import { existsSync, mkdirSync, readFileSync, writeFileSync, unlinkSync, copyFileSync } from "node:fs"; ... L83: try { L84: return { settings: JSON.parse(raw), recoveredBackup: null }; L85: } catch { ... L165: const proxy = env.HTTPS_PROXY; L166: if (proxy === `http://localhost:${gatewayPort}` || proxy === `http://127.0.0.1:${gatewayPort}`) { L167: delete env.HTTPS_PROXY; ... L259: } L260: function writeCursorUserHooks(binDir, home = homedir()) { L261: const cursorHome = join(home, ".cursor");
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/chunk-LXKPNATC.jsView on unpkg · L5
5// src/lib/hooks-config.ts L6: import { execSync } from "node:child_process"; L7: import { existsSync, mkdirSync, readFileSync, writeFileSync, unlinkSync, copyFileSync } from "node:fs"; ... L83: try { L84: return { settings: JSON.parse(raw), recoveredBackup: null }; L85: } catch { ... L165: const proxy = env.HTTPS_PROXY; L166: if (proxy === `http://localhost:${gatewayPort}` || proxy === `http://127.0.0.1:${gatewayPort}`) { L167: delete env.HTTPS_PROXY; ... L259: } L260: function writeCursorUserHooks(binDir, home = homedir()) { L261: const cursorHome = join(home, ".cursor");
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/chunk-LXKPNATC.jsView on unpkg · L5
dist/chunk-OKWCKCPE.jsView file
119function runCommand(cmd) { L120: execSync(cmd, { stdio: "inherit" }); L121: } ... L125: title: "Install the CLI", L126: command: "npm install -g @rulemetric/cli", L127: // Monotonic: the CLI must exist to produce any downstream signal, so it
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/chunk-OKWCKCPE.jsView on unpkg · L119
dist/chunk-7NNFYWKK.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @rulemetric/cli@0.5.2 matchedIdentity = npm:QHJ1bGVtZXRyaWMvY2xp:0.5.2 similarity = 0.433 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/chunk-7NNFYWKK.jsView on unpkg

Findings

1 Critical4 High4 Medium6 Low
CriticalPrevious Version Dangerous Deltadist/chunk-7NNFYWKK.js
HighChild Processdist/chunk-Y4BJXXYV.js
HighShelldist/commands/proxy/setup.js
HighSandbox Evasion Gated Capabilitydist/chunk-LXKPNATC.js
HighRuntime Package Installdist/chunk-OKWCKCPE.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/chunk-LXKPNATC.js
MediumStructural Risk Force Deep Review
LowScripts Present
LowEvaldist/commands/evals/run.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License