registry  /  @thingd/cli  /  0.47.5

@thingd/cli@0.47.5

⚠ Under review

CLI, Interactive TUI Dashboard, and MCP server for thingd — a fast object-first data engine for applications and AI agents.

Static Scan Results

scanned 6d ago · by rust-scanner

Static analysis flagged 12 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 20 file(s), 321 KB of source, external domains: 127.0.0.1, api.thingd.cloud, svelte.dev, thingd.cloud, thingd.local, www.w3.org

Source & flagged code

4 flagged · loading source
dist/index.jsView file
290try { L291: const { execSync } = await import("node:child_process"); L292: try {
High
Child Process

Package source references child process execution.

dist/index.jsView on unpkg · L290
1024const { server: _server, close } = await startDashboardServer(connection, port); L1025: context.stderr.write(`${pc.green("✔ Dashboard successfully loaded.")}\n` + L1026: `Opening browser... (Press ${pc.yellow("Ctrl+C")} to stop the server)\n\n`); L1027: await openBrowser(`http://localhost:${port}`); L1028: return new Promise((_resolve) => { ... L1039: async function openBrowser(url) { L1040: const { exec } = await import("node:child_process"); L1041: const startCommand = process.platform === "darwin" ? "open" : process.platform === "win32" ? "start" : "xdg-open";
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/index.jsView on unpkg · L1024
dist/commands/cloud.jsView file
1import { execSync } from "node:child_process"; L2: import { setTimeout as sleep } from "node:timers/promises"; ... L9: function cliApiUrl(context) { L10: return stringFlag(context.parsed, "url") ?? process.env.THINGD_URL ?? "https://api.thingd.cloud"; L11: } ... L22: try { L23: const platform = process.platform; L24: if (platform === "darwin") { ... L65: default: L66: context.stderr.write(`Unknown cloud subcommand: ${sub}\n` + L67: "Available: login, logout, status, org, project, instance, api-key\n");
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/commands/cloud.jsView on unpkg · L1
dist/interactive.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @thingd/cli@0.44.3 matchedIdentity = npm:QHRoaW5nZC9jbGk:0.44.3 similarity = 0.900 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/interactive.jsView on unpkg

Findings

1 Critical4 High3 Medium4 Low
CriticalPrevious Version Dangerous Deltadist/interactive.js
HighChild Processdist/index.js
HighShell
HighCommand Output Exfiltrationdist/index.js
HighSandbox Evasion Gated Capabilitydist/commands/cloud.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings