registry  /  @umudik/lotaru  /  0.2.16

@umudik/lotaru@0.2.16

Local-first task orchestration ? run shell tasks on your projects from the browser

Static Scan Results

scanned 34m ago · by rust-scanner

Static analysis flagged 13 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 21 file(s), 869 KB of source, external domains: 127.0.0.1, auth.fookiecloud.com, fookiecloud.com, lotaru.fookiecloud.com, reactjs.org, www.w3.org

Source & flagged code

5 flagged · loading source
dist-server/auth/credentials.jsView file
4import { join } from 'node:path'; L5: import { spawn } from 'node:child_process'; L6: import { hostname as osHostname } from 'node:os';
High
Child Process

Package source references child process execution.

dist-server/auth/credentials.jsView on unpkg · L4
1import { createServer } from 'node:http'; L2: import { createHash, randomBytes } from 'node:crypto'; ... L4: import { join } from 'node:path'; L5: import { spawn } from 'node:child_process'; L6: import { hostname as osHostname } from 'node:os'; L7: const AUTH_ISSUER = process.env['FOOKIE_AUTH_ISSUER'] ?? 'https://auth.fookiecloud.com'; L8: const CLIENT_ID = process.env['LOTARU_CLIENT_ID'] ?? 'lotaru';
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist-server/auth/credentials.jsView on unpkg · L1
1import { createServer } from 'node:http'; L2: import { createHash, randomBytes } from 'node:crypto'; ... L4: import { join } from 'node:path'; L5: import { spawn } from 'node:child_process'; L6: import { hostname as osHostname } from 'node:os'; L7: const AUTH_ISSUER = process.env['FOOKIE_AUTH_ISSUER'] ?? 'https://auth.fookiecloud.com'; L8: const CLIENT_ID = process.env['LOTARU_CLIENT_ID'] ?? 'lotaru'; ... L13: } L14: function base64url(buf) { L15: return buf.toString('base64url'); ... L23: let child; L24: if (process.platform === 'win32') {
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist-server/auth/credentials.jsView on unpkg · L1
dist-server/system/pickFolder.jsView file
12].join('; '); L13: const { stdout } = await execFileAsync('powershell.exe', ['-NoProfile', '-STA', '-Command', script], { windowsHide: false }); L14: const path = stdout.trim();
High
Shell

Package source references shell execution.

dist-server/system/pickFolder.jsView on unpkg · L12
dist/index.jsView file
26if (existsSync(bundled)) { L27: const mod = (await import(pathToFileURL(bundled).href)); L28: return mod.start;
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/index.jsView on unpkg · L26

Findings

4 High4 Medium5 Low
HighChild Processdist-server/auth/credentials.js
HighShelldist-server/system/pickFolder.js
HighSame File Env Network Executiondist-server/auth/credentials.js
HighSandbox Evasion Gated Capabilitydist-server/auth/credentials.js
MediumDynamic Requiredist/index.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings