registry  /  @togglhq/cli  /  1.5.19

@togglhq/cli@1.5.19

Toggl CLI for Focus API operations.

Static Scan Results

scanned 9d ago · by rust-scanner

Static analysis flagged 12 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 3 file(s), 999 KB of source, external domains: accounts.toggl.com, empty.invalid, focus.toggl.com, fonts.googleapis.com, fonts.gstatic.com, github.com, react.dev, registry.npmjs.org, www.w3.org

Source & flagged code

4 flagged · loading source
build/program-BwnVUFVS.jsView file
1import { createRequire } from "node:module"; L2: import { exec, spawn } from "node:child_process"; L3: import * as path$1 from "node:path";
High
Child Process

Package source references child process execution.

build/program-BwnVUFVS.jsView on unpkg · L1
1829if (process$3.versions?.electron) parseOptions.from = "electron"; L1830: const execArgv = process$3.execArgv ?? []; L1831: if (execArgv.includes("-e") || execArgv.includes("--eval") || execArgv.includes("-p") || execArgv.includes("--print")) parseOptions.from = "eval";
High
Shell

Package source references shell execution.

build/program-BwnVUFVS.jsView on unpkg · L1829
11708const cmd = process.platform === "darwin" ? "open" : process.platform === "win32" ? "start \"\"" : "xdg-open"; L11709: exec(`${cmd} "${url}"`, (err) => { L11710: if (err) process.stderr.write(`Could not open browser (${cmd}): ${err.message}\n`); L11711: }); ... L11717: function togglOAuthLocalRedirectUri(port = TOGGL_OAUTH_CALLBACK_PORT) { L11718: return `http://localhost:${port}/callback`; L11719: }
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

build/program-BwnVUFVS.jsView on unpkg · L11708
25759} L25760: if (viaNpx) throw new Error(`Running via npx does not update a global install. Run \`npx ${getPublicPackageSpec()}\`, or install globally with:\n npm install -g ${getPublicPackage... L25761: const { command, args } = buildGlobalInstallCommand(detectPackageManager()); L25762: await new Promise((resolve, reject) => { L25763: const child = spawn(command, args, { stdio: "inherit" }); L25764: child.on("error", (err) => {
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

build/program-BwnVUFVS.jsView on unpkg · L25759

Findings

4 High3 Medium5 Low
HighChild Processbuild/program-BwnVUFVS.js
HighShellbuild/program-BwnVUFVS.js
HighCommand Output Exfiltrationbuild/program-BwnVUFVS.js
HighRuntime Package Installbuild/program-BwnVUFVS.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License