registry  /  @speed.press/kit  /  1.7.0

@speed.press/kit@1.7.0

Convert WordPress sites into pixel-faithful Astro frontends

Static Scan Results

scanned 7d ago · by rust-scanner

Static analysis flagged 13 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 39 file(s), 312 KB of source, external domains: 127.0.0.1, aiscan.site, console.anthropic.com, integration.xcloud.host, www.sitemaps.org, xcloud.host

Source & flagged code

5 flagged · loading source
templates/regenerator/server.jsView file
8import { createHmac, timingSafeEqual } from 'crypto'; L9: import { execFile } from 'child_process'; L10: import { readFileSync, writeFileSync, renameSync, existsSync } from 'fs';
High
Child Process

Package source references child process execution.

templates/regenerator/server.jsView on unpkg · L8
6*/ L7: import http from 'http'; L8: import { createHmac, timingSafeEqual } from 'crypto'; L9: import { execFile } from 'child_process'; L10: import { readFileSync, writeFileSync, renameSync, existsSync } from 'fs'; ... L19: L20: const PORT = parseInt(process.env.REGENERATOR_PORT || '8080', 10); L21: const WEBHOOK_SECRET = process.env.WEBHOOK_SECRET || '';
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

templates/regenerator/server.jsView on unpkg · L6
src/utils/asset-bundler.jsView file
12* Usage: L13: * const bundler = new AssetBundler('https://example.com', '/output/dir'); L14: * const localCss = await bundler.rewriteCSSUrls(cssText, cssFileUrl); ... L42: _resolveUrl(ref, cssFileUrl) { L43: if (ref.startsWith('data:')) return ref; L44: try { ... L97: if (!res.ok) throw new Error(`HTTP ${res.status}`); L98: const buf = Buffer.from(await res.arrayBuffer()); L99: await writeFile(localPath, buf);
Low
Weak Crypto

Package source references weak cryptographic algorithms.

src/utils/asset-bundler.jsView on unpkg · L12
src/utils/mirror/verify.jsView file
208package = @speed.press/kit; repositoryIdentity = xcloud-headless; dependency = pixelmatch L208: ({ chromium } = await import('playwright')); L209: pixelmatch = (await import('pixelmatch')).default; L210: ({ PNG } = await import('pngjs'));
High
Copied Package Dependency Bridge

Package metadata claims a different repository identity while copied source loads a runtime dependency bridge.

src/utils/mirror/verify.jsView on unpkg · L208
templates/docker/start.shView file
path = templates/docker/start.sh kind = build_helper sizeBytes = 315 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

templates/docker/start.shView on unpkg

Findings

4 High4 Medium5 Low
HighChild Processtemplates/regenerator/server.js
HighShell
HighSame File Env Network Executiontemplates/regenerator/server.js
HighCopied Package Dependency Bridgesrc/utils/mirror/verify.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helpertemplates/docker/start.sh
MediumStructural Risk Force Deep Review
LowScripts Present
LowWeak Cryptosrc/utils/asset-bundler.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings