registry  /  @runburst/cli  /  0.1.4

@runburst/cli@0.1.4

Burst local CLI for agent-driven prototype review boards.

Static Scan Results

scanned 7h ago · by rust-scanner

Static analysis flagged 16 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicenseWildcardDependency
scanned 43 file(s), 86.4 KB of source, external domains: 127.0.0.1, runburst.ai

Source & flagged code

6 flagged · loading source
dist/burst-core/repo-key.mjsView file
1import { execFile } from "node:child_process"; L2: import path from "node:path";
High
Child Process

Package source references child process execution.

dist/burst-core/repo-key.mjsView on unpkg · L1
dist/index.jsView file
78process.argv = [process.argv[0] ?? "node", `burst ${command}`, ...args]; L79: await import(modulePath); L80: }
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/index.jsView on unpkg · L78
dist/burst-core/auth.mjsView file
1import { spawn } from "node:child_process"; L2: import { randomBytes } from "node:crypto"; ... L9: export function getBurstAppUrl() { L10: return process.env.BURST_APP_URL ?? process.env.NEXT_PUBLIC_APP_URL ?? "https://runburst.ai"; L11: }
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/burst-core/auth.mjsView on unpkg · L1
1import { spawn } from "node:child_process"; L2: import { randomBytes } from "node:crypto"; ... L6: import { readJsonResponse } from "./http.mjs"; L7: const tokenPath = path.join(os.homedir(), ".burst", "token"); L8: const storageStateDir = path.join(os.homedir(), ".burst", "storage-state"); L9: export function getBurstAppUrl() { L10: return process.env.BURST_APP_URL ?? process.env.NEXT_PUBLIC_APP_URL ?? "https://runburst.ai"; L11: } L12: export function storageStatePathForOrigin(origin) { L13: return path.join(storageStateDir, `${Buffer.from(origin).toString("base64url")}.json`); L14: } ... L37: function openBrowser(url) {
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/burst-core/auth.mjsView on unpkg · L1
matchType = previous_version_dangerous_delta matchedPackage = @runburst/cli@0.1.3 matchedIdentity = npm:QHJ1bmJ1cnN0L2NsaQ:0.1.3 similarity = 0.976 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/burst-core/auth.mjsView on unpkg
scripts/clean-worktrees.shView file
path = scripts/clean-worktrees.sh kind = build_helper sizeBytes = 2807 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

scripts/clean-worktrees.shView on unpkg

Findings

5 High6 Medium5 Low
HighChild Processdist/burst-core/repo-key.mjs
HighShell
HighSame File Env Network Executiondist/burst-core/auth.mjs
HighSandbox Evasion Gated Capabilitydist/burst-core/auth.mjs
HighPrevious Version Dangerous Deltadist/burst-core/auth.mjs
MediumDynamic Requiredist/index.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperscripts/clean-worktrees.sh
MediumStructural Risk Force Deep Review
MediumWildcard Dependency
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License