registry  /  @stashr/cli  /  0.2.2

@stashr/cli@0.2.2

Search, save, and organize your Stashr library from the command line.

AI Security Review

scanned 33m ago · by lpm-firewall-ai

No confirmed malicious attack surface. The CLI performs user-invoked Stashr OAuth and API operations, with an optional local OAuth callback listener.

Static reason
One or more suspicious static signals were detected.
Trigger
User runs stashr commands such as login, search, save, or media.
Impact
Normal account and bookmark operations; no install-time execution, credential harvesting, stealth persistence, or foreign AI-agent modification found.
Mechanism
Explicit CLI OAuth, API requests, local token storage, and requested media download.
Rationale
Static signals are explained by normal bundled CLI dependencies and explicit Stashr OAuth/API functionality. No lifecycle hook or concrete malicious data-flow, persistence, destructive behavior, or unconsented control-surface mutation was found.
Evidence
package.jsonREADME.mddist/index.js~/.config/stashr/config.json~/Library/Application Support/Stashr/config.json%APPDATA%/Stashr/config.json
Network endpoints2
stashr.me127.0.0.1

Decision evidence

public snapshot
AI called this Clean at 96.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no preinstall/install/postinstall lifecycle hooks.
    • dist/index.js runs only through the stashr CLI bin entrypoint.
    • dist/index.js uses child_process only to open the user-requested OAuth URL.
    • dist/index.js stores OAuth configuration with owner-only file permissions.
    • dist/index.js sends bearer credentials only to the configured Stashr API base URL.
    • README.md documents explicit login, search, save, and media commands.
    Behavioral surface
    Source
    ChildProcessEnvironmentVarsEval
    Supply chain
    HighEntropyStringsMinifiedUrlStrings
    Manifest
    NoLicense
    scanned 1 file(s), 352 KB of source, external domains: 127.0.0.1, example.com, json-schema.org, stashr.me

    Source & flagged code

    4 flagged · loading source
    dist/index.jsView file
    13(Did you mean one of ${$.join(", ")}?)`;if($.length===1)return` L14: (Did you mean ${$[0]}?)`;return""}sc.suggestSimilar=pc});var n_=zr((gb)=>{var nb=Sn("node:events").EventEmitter,ge=Sn("node:child_process"),er=Sn("node:path"),Mt=Sn("node:fs"),O=Sn... L15: - specify the name in Command constructor or using .name()`);if(i=i||{},i.isDefault)this._defaultCommandName=r._name;if(i.noHelp||i.hidden)r._hidden=!0;return this._registerCommand...
    High
    Child Process

    Package source references child process execution.

    dist/index.jsView on unpkg · L13
    90L91: Set the \`cycles\` parameter to \`"ref"\` to resolve cyclical schemas with defs.`)}for(let u of r.seen.entries()){let g=u[1];if(i===u[0]){v(u);continue}if(r.external){let o=r.exter... L92: `));break;case"table":{if($.header?.length)t.push($.header.map(A6).join("\t"));for(let n of $.rows)t.push(n.map(A6).join("\t"));break}case"embed":{let n=$.author.displayName?`${$.a... ... L94: L95: `)}function Xc(r){if(!r.author)return null;return r.author.displayName??`@${r.author.username}`}function f6(r){return{archived:r.deletedAt!==null,author:Xc(r),capturedAt:r.captured... L96: `,{mode:384}),await Gb($,t),await Lb(t,384).catch(()=>{return})}import{spawn as Vb}from"node:child_process";import{createHash as Yb,randomBytes as e_}from"node:crypto";import{creat... L97: `)?r:`${r}
    High
    Same File Env Network Execution

    A single source file combines environment access, network access, and code or shell execution; review context before blocking.

    dist/index.jsView on unpkg · L90
    15- specify the name in Command constructor or using .name()`);if(i=i||{},i.isDefault)this._defaultCommandName=r._name;if(i.noHelp||i.hidden)r._hidden=!0;return this._registerCommand... L16: Expecting one of '${t.join("', '")}'`);if(this._lifeCycleHooks[r])this._lifeCycleHooks[r].push(i);else this._lifeCycleHooks[r]=[i];return this}exitOverride(r){if(r)this._exitCallba... L17: - already used by option '${i.flags}'`)}this._initOptionGroup(r),this.options.push(r)}_registerCommand(r){let i=($)=>{return[$.name()].concat($.aliases())},t=i(r).find(($)=>this._... L18: - either make a new Command for each call to parse, or stop storing options as properties`);this._name=this._savedState._name,this._scriptPath=null,this.rawArgs=[],this._optionValu... ... L24: `),this.outputHelp({error:!0});let t=i||{},$=t.exitCode||1,n=t.code||"commander.error";this._exit($,n,r)}_parseOptionsEnv(){this.options.forEach((r)=>{if(r.envVar&&r.envVar in O.en... L25: `),this._exit(0,"commander.version",r)}),this}description(r,i){if(r===void 0&&i===void 0)return this._description;if(this._description=r,i)this._argsDescription=i;return this}summa... L26: Expecting one of '${t.join("', '")}'`);let $=`${r}Help`;r
    High
    Command Output Exfiltration

    Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

    dist/index.jsView on unpkg · L15
    26Expecting one of '${t.join("', '")}'`);let $=`${r}Help`;return this.on($,(n)=>{let v;if(typeof i==="function")v=i({error:n.error,command:n.command});else v=i;if(v)n.write(`${v} L27: `)}),this}_outputHelpIfRequested(r){let i=this._getHelpOption();if(i&&r.find(($)=>i.is($)))this.outputHelp(),this._exit(0,"commander.helpDisplayed","(outputHelp)")}}function r_(r){... L28: `)}var fr=(r)=>(i,t,$,n)=>{let v=$?{...$,async:!1}:{async:!1},u=i._zod.run({value:t,issues:[]},v);if(u instanceof Promise)throw new nr;if(u.issues.length){let g=new(n?.Err??r)(u.is...
    Low
    Eval

    Package source references a known benign dynamic code generation pattern.

    dist/index.jsView on unpkg · L26

    Findings

    3 High1 Medium5 Low
    HighChild Processdist/index.js
    HighSame File Env Network Executiondist/index.js
    HighCommand Output Exfiltrationdist/index.js
    MediumEnvironment Vars
    LowScripts Present
    LowEvaldist/index.js
    LowHigh Entropy Strings
    LowUrl Strings
    LowNo License