registry  /  @stashr/cli  /  0.1.0

@stashr/cli@0.1.0

Search, save, and organize your Stashr library from the command line.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

No confirmed malicious attack surface. The CLI performs user-invoked Stashr API operations and an OAuth browser login.

Static reason
One or more suspicious static signals were detected.
Trigger
User runs the stashr CLI, especially stashr login or bookmark commands.
Impact
Expected account/bookmark operations; no unconsented execution, exfiltration, or persistence was established.
Mechanism
Authenticated Stashr API client with local OAuth token storage.
Rationale
Static signals arise from normal CLI OAuth, browser launching, local token persistence, and API requests. Source inspection found no concrete malicious behavior or install-time execution.
Evidence
package.jsondist/index.jsREADME.md
Network endpoints2
stashr.me127.0.0.1

Decision evidence

public snapshot
AI called this Clean at 96.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no preinstall, install, or postinstall hook.
    • dist/index.js runs only as the declared stashr CLI entrypoint.
    • Network requests implement Stashr API and OAuth flows; no unrelated endpoint is embedded.
    • The only child-process use opens the user-requested login URL in a browser.
    • Credential storage is a mode-0600 Stashr config file; logout revokes and removes tokens.
    • No eval, dynamic payload loading, harvesting, or foreign agent-control writes found.
    Behavioral surface
    Source
    ChildProcessEnvironmentVars
    Supply chain
    HighEntropyStringsMinifiedUrlStrings
    Manifest
    NoLicense
    scanned 1 file(s), 67.1 KB of source, external domains: 127.0.0.1, example.com, stashr.me

    Source & flagged code

    3 flagged · loading source
    dist/index.jsView file
    13(Did you mean one of ${n.join(", ")}?)`;if(n.length===1)return` L14: (Did you mean ${n[0]}?)`;return""}we.suggestSimilar=ye});var _t=P(($e)=>{var Se=A("node:events").EventEmitter,v=A("node:child_process"),R=A("node:path"),G=A("node:fs"),k=A("node:pr... L15: - specify the name in Command constructor or using .name()`);if(e=e||{},e.isDefault)this._defaultCommandName=t._name;if(e.noHelp||e.hidden)t._hidden=!0;return this._registerCommand...
    High
    Child Process

    Package source references child process execution.

    dist/index.jsView on unpkg · L13
    13(Did you mean one of ${n.join(", ")}?)`;if(n.length===1)return` L14: (Did you mean ${n[0]}?)`;return""}we.suggestSimilar=ye});var _t=P(($e)=>{var Se=A("node:events").EventEmitter,v=A("node:child_process"),R=A("node:path"),G=A("node:fs"),k=A("node:pr... L15: - specify the name in Command constructor or using .name()`);if(e=e||{},e.isDefault)this._defaultCommandName=t._name;if(e.noHelp||e.hidden)t._hidden=!0;return this._registerCommand... ... L26: Expecting one of '${r.join("', '")}'`);let n=`${t}Help`;return this.on(n,(o)=>{let i;if(typeof e==="function")i=e({error:o.error,command:o.command});else i=e;if(i)o.write(`${i} L27: `)}),this}_outputHelpIfRequested(t){let e=this._getHelpOption();if(e&&t.find((n)=>e.is(n)))this.outputHelp(),this._exit(0,"commander.helpDisplayed","(outputHelp)")}}function wt(t){... L28: `,{mode:384}),await Fe(n,r),await ve(r,384).catch(()=>{return})}import{spawn as ge}from"node:child_process";import{createHash as me,randomBytes as It}from"node:crypto";import{creat...
    High
    Same File Env Network Execution

    A single source file combines environment access, network access, and code or shell execution; review context before blocking.

    dist/index.jsView on unpkg · L13
    13(Did you mean one of ${n.join(", ")}?)`;if(n.length===1)return` L14: (Did you mean ${n[0]}?)`;return""}we.suggestSimilar=ye});var _t=P(($e)=>{var Se=A("node:events").EventEmitter,v=A("node:child_process"),R=A("node:path"),G=A("node:fs"),k=A("node:pr... L15: - specify the name in Command constructor or using .name()`);if(e=e||{},e.isDefault)this._defaultCommandName=t._name;if(e.noHelp||e.hidden)t._hidden=!0;return this._registerCommand... ... L26: Expecting one of '${r.join("', '")}'`);let n=`${t}Help`;return this.on(n,(o)=>{let i;if(typeof e==="function")i=e({error:o.error,command:o.command});else i=e;if(i)o.write(`${i} L27: `)}),this}_outputHelpIfRequested(t){let e=this._getHelpOption();if(e&&t.find((n)=>e.is(n)))this.outputHelp(),this._exit(0,"commander.helpDisplayed","(outputHelp)")}}function wt(t){... L28: `,{mode:384}),await Fe(n,r),await ve(r,384).catch(()=>{return})}import{spawn as ge}from"node:child_process";import{createHash as me,randomBytes as It}from"node:crypto";import{creat...
    High
    Command Output Exfiltration

    Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

    dist/index.jsView on unpkg · L13

    Findings

    3 High1 Medium4 Low
    HighChild Processdist/index.js
    HighSame File Env Network Executiondist/index.js
    HighCommand Output Exfiltrationdist/index.js
    MediumEnvironment Vars
    LowScripts Present
    LowHigh Entropy Strings
    LowUrl Strings
    LowNo License