registry  /  @togglhq/cli  /  1.5.40

@togglhq/cli@1.5.40

⚠ Under review

Toggl CLI for Toggl 2.0 API operations.

Static Scan Results

scanned 2d ago · by rust-scanner

Static analysis flagged 13 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 4 file(s), 995 KB of source, external domains: accounts.toggl.com, empty.invalid, focus.toggl.com, fonts.googleapis.com, fonts.gstatic.com, github.com, react.dev, registry.npmjs.org, www.w3.org

Source & flagged code

5 flagged · loading source
build/program-BwvgopV7.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @togglhq/cli@1.5.19 matchedIdentity = npm:QHRvZ2dsaHEvY2xp:1.5.19 similarity = 1.000 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

build/program-BwvgopV7.jsView on unpkg
6import { fileURLToPath } from "node:url"; L7: import { exec, spawn } from "node:child_process"; L8: import process$1 from "node:process";
High
Child Process

Package source references child process execution.

build/program-BwvgopV7.jsView on unpkg · L6
1829if (process$3.versions?.electron) parseOptions.from = "electron"; L1830: const execArgv = process$3.execArgv ?? []; L1831: if (execArgv.includes("-e") || execArgv.includes("--eval") || execArgv.includes("-p") || execArgv.includes("--print")) parseOptions.from = "eval";
High
Shell

Package source references shell execution.

build/program-BwvgopV7.jsView on unpkg · L1829
11695const cmd = process.platform === "darwin" ? "open" : process.platform === "win32" ? "start \"\"" : "xdg-open"; L11696: exec(`${cmd} "${url}"`, (err) => { L11697: if (err) process.stderr.write(`Could not open browser (${cmd}): ${err.message}\n`); L11698: }); ... L11704: function togglOAuthLocalRedirectUri(port = TOGGL_OAUTH_CALLBACK_PORT) { L11705: return `http://localhost:${port}/callback`; L11706: }
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

build/program-BwvgopV7.jsView on unpkg · L11695
25497} L25498: if (viaNpx) throw new Error(`Running via npx does not update a global install. Run \`npx ${getPublicPackageSpec()}\`, or install globally with:\n npm install -g ${getPublicPackage... L25499: const { command, args } = buildGlobalInstallCommand(detectPackageManager()); L25500: await new Promise((resolve, reject) => { L25501: const child = spawn(command, args, { stdio: "inherit" }); L25502: child.on("error", (err) => {
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

build/program-BwvgopV7.jsView on unpkg · L25497

Findings

1 Critical4 High3 Medium5 Low
CriticalPrevious Version Dangerous Deltabuild/program-BwvgopV7.js
HighChild Processbuild/program-BwvgopV7.js
HighShellbuild/program-BwvgopV7.js
HighCommand Output Exfiltrationbuild/program-BwvgopV7.js
HighRuntime Package Installbuild/program-BwvgopV7.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License