registry  /  @truealter/cli  /  0.8.29

@truealter/cli@0.8.29

Superseded by 0.8.30. Please upgrade: npm i -g @truealter/cli@latest

~Alter identity CLI - login once, authenticated everywhere.

Static Scan Results

scanned 12d ago · by rust-scanner

Static analysis flagged 16 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 165 file(s), 1.26 MB of source, external domains: 127.0.0.1, api.github.com, api.truealter.com, aur.archlinux.org, github.com, mcp.truealter.com, objects.githubusercontent.com, obsidian.md, registry.npmjs.org, releases.truealter.com, starship.rs, token.actions.githubusercontent.com, truealter.com

Source & flagged code

7 flagged · loading source
dist/cc-wrapper/pty-adapter.jsView file
1import * as childProcess from "node:child_process"; L2: export async function spawnCcUnderPty(opts) {
High
Child Process

Package source references child process execution.

dist/cc-wrapper/pty-adapter.jsView on unpkg · L1
4const moduleId = "node-pty"; L5: const pty = (await import(moduleId)); L6: const proc = pty.spawn(opts.file, opts.args, {
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/cc-wrapper/pty-adapter.jsView on unpkg · L4
dist/commands/hooks.jsView file
173: `D="${hooksDir}"; [ -x "$D/_verify.sh" ] && bash "$D/_verify.sh" >/dev/null && [ -x ${scriptPath} ] && bash ${scriptPath}${argSuffix}; exit 0`; L174: return `bash -c '${body} ${marker}'`; L175: }
High
Shell

Package source references shell execution.

dist/commands/hooks.jsView on unpkg · L173
dist/lib/cosmetics/inscribe.jsView file
61if (surface.id === "pfetch") { L62: return inscribePfetch(surface, ctx); L63: } ... L178: function expandHome(p) { L179: return p.replace(/^\$HOME/, os.homedir()); L180: } L181: function ccStatuslineWardrobePath() { L182: const base = process.env.XDG_CONFIG_HOME || path.join(os.homedir(), ".config"); L183: return path.join(base, "alter", "statusline-wardrobe.json"); ... L187: return "fish"; L188: if (targetPath.endsWith(".bashrc") || targetPath.endsWith(".bash_profile")) L189: return "bash";
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/lib/cosmetics/inscribe.jsView on unpkg · L61
dist/doctor/checks/runtime.jsView file
1import * as fs from "node:fs"; L2: import * as net from "node:net"; L3: import * as os from "node:os"; L4: import * as path from "node:path"; L5: import { execFile as _execFile } from "node:child_process"; L6: import { promisify } from "node:util"; ... L11: } L12: const runtimeDir = process.env.XDG_RUNTIME_DIR; L13: if (runtimeDir) {
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/doctor/checks/runtime.jsView on unpkg · L1
dist/commands/alignment.jsView file
1import { spawn } from "child_process"; L2: import * as path from "path"; ... L13: function resolveServerCmd() { L14: const envCmd = process.env.ALTER_MCP_CMD; L15: if (envCmd) { ... L24: "(no shell metacharacters)."); L25: process.exitCode = 1; L26: return null; ... L39: "Set ALTER_MCP_CMD=<absolute-path-to-the-server-binary> to enable. " + L40: "See https://truealter.com/docs/cli#alignment"); L41: process.exitCode = 1; ... L49: const wait = await withKeyListenerCancel(async (signal) => {
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/commands/alignment.jsView on unpkg · L1
dist/assets/statusline/statusline.shView file
path = [redacted].sh kind = build_helper sizeBytes = 47150 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

dist/assets/statusline/statusline.shView on unpkg

Findings

4 High6 Medium6 Low
HighChild Processdist/cc-wrapper/pty-adapter.js
HighShelldist/commands/hooks.js
HighSame File Env Network Executiondist/doctor/checks/runtime.js
HighSandbox Evasion Gated Capabilitydist/commands/alignment.js
MediumDynamic Requiredist/cc-wrapper/pty-adapter.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/lib/cosmetics/inscribe.js
MediumShips Build Helperdist/assets/statusline/statusline.sh
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings