registry  /  @stashr/cli  /  0.2.0

@stashr/cli@0.2.0

Search, save, and organize your Stashr library from the command line.

AI Security Review

scanned 1h ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is a user-invoked Stashr CLI that performs authenticated API and OAuth operations.

Static reason
One or more suspicious static signals were detected.
Trigger
Running the stashr CLI, especially login or media commands.
Impact
Performs the requested Stashr account and bookmark operations; no stealth harvesting, foreign control-surface mutation, or install-time execution was found.
Mechanism
User-invoked Stashr OAuth, API requests, config persistence, and requested preview download.
Rationale
Static source inspection shows expected CLI behavior rather than a concrete malicious chain. Scanner hits map to bundled dependencies and legitimate OAuth/API functionality.
Evidence
package.jsonREADME.mddist/index.js
Network endpoints2
stashr.me127.0.0.1

Decision evidence

public snapshot
AI called this Clean at 96.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no preinstall, install, or postinstall hook.
    • dist/index.js only runs its CLI parser when the bin is invoked.
    • Network requests use the Stashr API and OAuth endpoints; default base URL is https://stashr.me.
    • STASHR_API_KEY and OAuth tokens are used as Authorization bearer credentials for Stashr requests.
    • Child-process use opens the user OAuth URL; it does not execute collected commands.
    • Filesystem writes are limited to Stashr OAuth config and user-requested media output.
    Behavioral surface
    Source
    ChildProcessEnvironmentVarsEval
    Supply chain
    HighEntropyStringsMinifiedUrlStrings
    Manifest
    NoLicense
    scanned 1 file(s), 350 KB of source, external domains: 127.0.0.1, example.com, json-schema.org, stashr.me

    Source & flagged code

    4 flagged · loading source
    dist/index.jsView file
    13(Did you mean one of ${e.join(", ")}?)`;if(e.length===1)return` L14: (Did you mean ${e[0]}?)`;return""}rb.suggestSimilar=sU});var sI=Nr(($b)=>{var tb=kn("node:events").EventEmitter,el=kn("node:child_process"),lr=kn("node:path"),Vi=kn("node:fs"),J=kn... L15: - specify the name in Command constructor or using .name()`);if(t=t||{},t.isDefault)this._defaultCommandName=r._name;if(t.noHelp||t.hidden)r._hidden=!0;return this._registerCommand...
    High
    Child Process

    Package source references child process execution.

    dist/index.jsView on unpkg · L13
    90L91: Set the \`cycles\` parameter to \`"ref"\` to resolve cyclical schemas with defs.`)}for(let u of r.seen.entries()){let v=u[1];if(t===u[0]){o(u);continue}if(r.external){let $=r.exter... L92: `));break;case"table":{if(e.header?.length)i.push(e.header.map(JI).join("\t"));for(let n of e.rows)i.push(n.map(JI).join("\t"));break}case"embed":{let n=e.author.displayName?`${e.a... ... L94: L95: `)}function QI(r){return r.title??r.author?.displayName??(r.author?`@${r.author.username}`:null)??`${r.platform} bookmark`}function AU(r){if(!r.author)return null;return r.author.d... L96: `,{mode:384}),await qb(e,i),await Lb(i,384).catch(()=>{return})}import{spawn as Yb}from"node:child_process";import{createHash as Kb,randomBytes as $_}from"node:crypto";import{creat... L97: `)?r:`${r}
    High
    Same File Env Network Execution

    A single source file combines environment access, network access, and code or shell execution; review context before blocking.

    dist/index.jsView on unpkg · L90
    15- specify the name in Command constructor or using .name()`);if(t=t||{},t.isDefault)this._defaultCommandName=r._name;if(t.noHelp||t.hidden)r._hidden=!0;return this._registerCommand... L16: Expecting one of '${i.join("', '")}'`);if(this._lifeCycleHooks[r])this._lifeCycleHooks[r].push(t);else this._lifeCycleHooks[r]=[t];return this}exitOverride(r){if(r)this._exitCallba... L17: - already used by option '${t.flags}'`)}this._initOptionGroup(r),this.options.push(r)}_registerCommand(r){let t=(e)=>{return[e.name()].concat(e.aliases())},i=t(r).find((e)=>this._... L18: - either make a new Command for each call to parse, or stop storing options as properties`);this._name=this._savedState._name,this._scriptPath=null,this.rawArgs=[],this._optionValu... ... L24: `),this.outputHelp({error:!0});let i=t||{},e=i.exitCode||1,n=i.code||"commander.error";this._exit(e,n,r)}_parseOptionsEnv(){this.options.forEach((r)=>{if(r.envVar&&r.envVar in J.en... L25: `),this._exit(0,"commander.version",r)}),this}description(r,t){if(r===void 0&&t===void 0)return this._description;if(this._description=r,t)this._argsDescription=t;return this}summa... L26: Expecting one of '${i.join("', '")}'`);let e=`${r}Help`;r
    High
    Command Output Exfiltration

    Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

    dist/index.jsView on unpkg · L15
    26Expecting one of '${i.join("', '")}'`);let e=`${r}Help`;return this.on(e,(n)=>{let o;if(typeof t==="function")o=t({error:n.error,command:n.command});else o=t;if(o)n.write(`${o} L27: `)}),this}_outputHelpIfRequested(r){let t=this._getHelpOption();if(t&&r.find((e)=>t.is(e)))this.outputHelp(),this._exit(0,"commander.helpDisplayed","(outputHelp)")}}function pI(r){... L28: `)}var Qr=(r)=>(t,i,e,n)=>{let o=e?{...e,async:!1}:{async:!1},u=t._zod.run({value:i,issues:[]},o);if(u instanceof Promise)throw new nr;if(u.issues.length){let v=new(n?.Err??r)(u.is...
    Low
    Eval

    Package source references a known benign dynamic code generation pattern.

    dist/index.jsView on unpkg · L26

    Findings

    3 High1 Medium5 Low
    HighChild Processdist/index.js
    HighSame File Env Network Executiondist/index.js
    HighCommand Output Exfiltrationdist/index.js
    MediumEnvironment Vars
    LowScripts Present
    LowEvaldist/index.js
    LowHigh Entropy Strings
    LowUrl Strings
    LowNo License