registry  /  @venturekit/cli  /  0.0.0-dev.20260627215235

@venturekit/cli@0.0.0-dev.20260627215235

⚠ Under review

CLI for VentureKit - scaffolding and deploy orchestration

Static Scan Results

scanned 10d ago · by rust-scanner

Static analysis flagged 12 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 32 file(s), 428 KB of source, external domains: app.example.com, doc.venturekit.dev, github.com, schema.getpostman.com, token.actions.githubusercontent.com, venturekit.dev, www.npmjs.com

Source & flagged code

5 flagged · loading source
dist/utils/docker.jsView file
3*/ L4: import { execSync } from 'child_process'; L5: import { existsSync } from 'fs';
High
Child Process

Package source references child process execution.

dist/utils/docker.jsView on unpkg · L3
dist/commands/remove.jsView file
44stdio: 'inherit', L45: shell: true, L46: cwd: cdkDir,
High
Shell

Package source references shell execution.

dist/commands/remove.jsView on unpkg · L44
dist/utils/config-loader.jsView file
28}); L29: const mod = await jiti.import(configPath); L30: const config = mod?.default ?? mod;
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/utils/config-loader.jsView on unpkg · L28
dist/utils/auto-deps.jsView file
183const cmd = pm === 'pnpm' L184: ? `pnpm add ${packages}` L185: : pm === 'yarn' ... L188: try { L189: execSync(cmd, { cwd: projectDir, stdio: 'pipe' }); L190: }
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/utils/auto-deps.jsView on unpkg · L183
dist/commands/deploy.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @venturekit/cli@0.0.1 matchedIdentity = npm:QHZlbnR1cmVraXQvY2xp:0.0.1 similarity = 0.733 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version.

dist/commands/deploy.jsView on unpkg

Findings

1 Critical3 High4 Medium4 Low
CriticalPrevious Version Dangerous Deltadist/commands/deploy.js
HighChild Processdist/utils/docker.js
HighShelldist/commands/remove.js
HighRuntime Package Installdist/utils/auto-deps.js
MediumDynamic Requiredist/utils/config-loader.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings