registry  /  @tokenoftrust/cli  /  1.2.3

@tokenoftrust/cli@1.2.3

Token of Trust developer CLI — check out a tenant store, run it locally with save→reload, and submit it for preview. Installs the `tot` command.

Static Scan Results

scanned 4h ago · by rust-scanner

Static analysis completed at 93.0% confidence. No malicious behavior was detected; 11 low-signal pattern(s) were surfaced and cleared.

Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 25 file(s), 203 KB of source, external domains: 127.0.0.1, docs.docker.com, git-scm.com, mcp.tokenoftrust.com, registry.npmjs.org

Source & flagged code

4 flagged · loading source
src/update-check.mjsView file
29import { join, dirname } from "node:path"; L30: import { spawn } from "node:child_process"; L31: import { fileURLToPath } from "node:url";
High
Child Process

Package source references child process execution.

src/update-check.mjsView on unpkg · L29
29import { join, dirname } from "node:path"; L30: import { spawn } from "node:child_process"; L31: import { fileURLToPath } from "node:url"; ... L36: const PKG = "@tokenoftrust/cli"; L37: const DEFAULT_NPM_REGISTRY = "https://registry.npmjs.org"; L38: const FETCH_TIMEOUT_MS = 3000; ... L40: /** Absolute path to the update-check cache for this environment. */ L41: export function updateCachePath(env = process.env) { L42: const home = env.TOT_HOME || homedir();
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

src/update-check.mjsView on unpkg · L29
src/commands/dev.mjsView file
matchType = previous_version_dangerous_delta matchedPackage = @tokenoftrust/cli@1.2.2 matchedIdentity = npm:QHRva2Vub2Z0cnVzdC9jbGk:1.2.2 similarity = 0.880 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

src/commands/dev.mjsView on unpkg
16* scripts/tot-dev.mjs grafts the checkout in and boots astro dev L17: * --host at http://localhost:<port>/<appDomain>/, with real (not L18: * polled) file-watch HMR. Nothing is published; product data renders ... L33: */ L34: import { spawn, spawnSync, execFileSync } from "node:child_process"; L35: import { existsSync, readFileSync, writeFileSync, mkdirSync, renameSync, rmSync, createWriteStream } from "node:fs"; ... L55: /** Where downloaded+installed renderer-artifact versions are cached, one dir per version. */ L56: const RENDERER_CACHE_ROOT = join(homedir(), ".tot", "cache", "renderer"); L57: /** The PUBLIC, un-entitled runner published to npm (sample / zero-login mode). */ ... L94: L95: Edit content/*.html or the theme + save → the browser reloads. Private local L96: preview — nothing is published. Prerequisites: Node.js and an invite (or just
Low
Weak Crypto

Package source references weak cryptographic algorithms.

src/commands/dev.mjsView on unpkg · L16

Findings

4 High2 Medium5 Low
HighChild Processsrc/update-check.mjs
HighShell
HighSame File Env Network Executionsrc/update-check.mjs
HighPrevious Version Dangerous Deltasrc/commands/dev.mjs
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowWeak Cryptosrc/commands/dev.mjs
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings