registry  /  @togglhq/cli  /  1.5.22

@togglhq/cli@1.5.22

⚠ Under review

Toggl CLI for Toggl 2.0 API operations.

Static Scan Results

scanned 9d ago · by rust-scanner

Static analysis flagged 13 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 3 file(s), 999 KB of source, external domains: accounts.toggl.com, empty.invalid, focus.toggl.com, fonts.googleapis.com, fonts.gstatic.com, github.com, react.dev, registry.npmjs.org, www.w3.org

Source & flagged code

5 flagged · loading source
build/program-Bz9wasNE.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @togglhq/cli@1.5.19 matchedIdentity = npm:QHRvZ2dsaHEvY2xp:1.5.19 similarity = 0.667 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

build/program-Bz9wasNE.jsView on unpkg
1import { createRequire } from "node:module"; L2: import { exec, spawn } from "node:child_process"; L3: import * as path$1 from "node:path";
High
Child Process

Package source references child process execution.

build/program-Bz9wasNE.jsView on unpkg · L1
1829if (process$3.versions?.electron) parseOptions.from = "electron"; L1830: const execArgv = process$3.execArgv ?? []; L1831: if (execArgv.includes("-e") || execArgv.includes("--eval") || execArgv.includes("-p") || execArgv.includes("--print")) parseOptions.from = "eval";
High
Shell

Package source references shell execution.

build/program-Bz9wasNE.jsView on unpkg · L1829
11640const cmd = process.platform === "darwin" ? "open" : process.platform === "win32" ? "start \"\"" : "xdg-open"; L11641: exec(`${cmd} "${url}"`, (err) => { L11642: if (err) process.stderr.write(`Could not open browser (${cmd}): ${err.message}\n`); L11643: }); ... L11649: function togglOAuthLocalRedirectUri(port = TOGGL_OAUTH_CALLBACK_PORT) { L11650: return `http://localhost:${port}/callback`; L11651: }
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

build/program-Bz9wasNE.jsView on unpkg · L11640
25761} L25762: if (viaNpx) throw new Error(`Running via npx does not update a global install. Run \`npx ${getPublicPackageSpec()}\`, or install globally with:\n npm install -g ${getPublicPackage... L25763: const { command, args } = buildGlobalInstallCommand(detectPackageManager()); L25764: await new Promise((resolve, reject) => { L25765: const child = spawn(command, args, { stdio: "inherit" }); L25766: child.on("error", (err) => {
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

build/program-Bz9wasNE.jsView on unpkg · L25761

Findings

1 Critical4 High3 Medium5 Low
CriticalPrevious Version Dangerous Deltabuild/program-Bz9wasNE.js
HighChild Processbuild/program-Bz9wasNE.js
HighShellbuild/program-Bz9wasNE.js
HighCommand Output Exfiltrationbuild/program-Bz9wasNE.js
HighRuntime Package Installbuild/program-Bz9wasNE.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License