registry  /  @sun-asterisk/sungen  /  3.2.4

@sun-asterisk/sungen@3.2.4

Deterministic E2E Test Compiler - Gherkin + Selectors → Playwright tests

Static Scan Results

scanned 3h ago · by rust-scanner

Static analysis flagged 15 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 319 file(s), 2.06 MB of source, external domains: 127.0.0.1, api.figma.com, example.com, mcp.figma.com, sungen.sun-asterisk.vn, www.figma.com, www.googleapis.com, your-app.com

Source & flagged code

7 flagged · loading source
dist/tools/sungen-auth/open-browser.jsView file
10exports.openBrowser = openBrowser; L11: const child_process_1 = require("child_process"); L12: /** Attempt to open `url` in the system browser. Returns true if a launcher was spawned. */
High
Child Process

Package source references child process execution.

dist/tools/sungen-auth/open-browser.jsView on unpkg · L10
src/tools/sungen-api/edit-in-editor.tsView file
35// shell:true so editors with args work (e.g. VISUAL="code --wait"). L36: const result = spawnSync(`${editor} "${file}"`, { shell: true, stdio: 'inherit' }); L37: if (result.error) throw new Error(`Could not launch editor "${editor}": ${result.error.message}`);
High
Shell

Package source references shell execution.

src/tools/sungen-api/edit-in-editor.tsView on unpkg · L35
bin/sungen.jsView file
8// Import tsx loader and run the CLI L9: require('tsx/cjs/api').register(); L10:
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/sungen.jsView on unpkg · L8
src/harness/manifest.tsView file
62const lines = fs.readFileSync(specPath, 'utf-8').split('\n'); L63: const sections: { name: string; body: string[] }[] = []; L64: let cur: { name: string; body: string[] } | null = null; ... L162: export function manifestPath(screenName: string): string { L163: return path.join(process.cwd(), '.sungen', 'manifest', `${reportSlug(screenName)}.json`); L164: } ... L166: const p = manifestPath(screenName); L167: return fs.existsSync(p) ? JSON.parse(fs.readFileSync(p, 'utf-8')) : null; L168: }
Low
Weak Crypto

Package source references weak cryptographic algorithms.

src/harness/manifest.tsView on unpkg · L62
dist/ingest/gsheet-fetch.jsView file
44* `googleapis` is an OPTIONAL dependency (lazy-required) — the core install stays lean; L45: * users who want the Google fetch run `npm i googleapis` + authenticate once with L46: * `gcloud auth application-default login` (or set GOOGLE_APPLICATION_CREDENTIALS). ... L49: const readline = __importStar(require("readline")); L50: const child_process_1 = require("child_process"); L51: const SCOPE = 'https://www.googleapis.com/auth/spreadsheets.readonly';
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/ingest/gsheet-fetch.jsView on unpkg · L44
dist/orchestrator/templates/ai-src/skills/sungen-tc-generation/SKILL.mdView file
616patternName = generic_password severity = medium line = 616 matchedText = password...123"
Medium
Secret Pattern

Hardcoded password in dist/orchestrator/templates/ai-src/skills/sungen-tc-generation/SKILL.md

dist/orchestrator/templates/ai-src/skills/sungen-tc-generation/SKILL.mdView on unpkg · L616
src/orchestrator/templates/ai-src/skills/sungen-tc-generation/SKILL.mdView file
616patternName = generic_password severity = medium line = 616 matchedText = password...123"
Medium
Secret Pattern

Hardcoded password in src/orchestrator/templates/ai-src/skills/sungen-tc-generation/SKILL.md

src/orchestrator/templates/ai-src/skills/sungen-tc-generation/SKILL.mdView on unpkg · L616

Findings

3 High6 Medium6 Low
HighChild Processdist/tools/sungen-auth/open-browser.js
HighShellsrc/tools/sungen-api/edit-in-editor.ts
HighRuntime Package Installdist/ingest/gsheet-fetch.js
MediumDynamic Requirebin/sungen.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
MediumSecret Patterndist/orchestrator/templates/ai-src/skills/sungen-tc-generation/SKILL.md
MediumSecret Patternsrc/orchestrator/templates/ai-src/skills/sungen-tc-generation/SKILL.md
LowNon Install Lifecycle Scripts
LowScripts Present
LowWeak Cryptosrc/harness/manifest.ts
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings