registry  /  @vikukumar/propvault  /  0.1.4

@vikukumar/propvault@0.1.4

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 14 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 214 file(s), 1.21 MB of source, external domains: connect.facebook.net, facebook.com, fonts.googleapis.com, fonts.gstatic.com, github.com, images.unsplash.com, img.youtube.com, instagram.com, linkedin.com, maps.google.com, propvault.dev, propvault.in, propvault.vikshro.in, registry.npmjs.org, schema.org, twitter.com, wa.me, www.google.com, www.googletagmanager.com, www.w3.org, yoursite.com, youtube.com

Source & flagged code

7 flagged · loading source
src/app/admin/settings/storage/page.tsxView file
38patternName = aws_access_key severity = critical line = 38 matchedText = { key: "..." },
Critical
Critical Secret

Package contains a critical-looking secret pattern.

src/app/admin/settings/storage/page.tsxView on unpkg · L38
38patternName = aws_access_key severity = critical line = 38 matchedText = { key: "..." },
Critical
Secret Pattern

AWS access key ID in src/app/admin/settings/storage/page.tsx

src/app/admin/settings/storage/page.tsxView on unpkg · L38
bin/cli.jsView file
11import net from "net"; L12: import { spawn, execSync } from "child_process"; L13: import { fileURLToPath } from "url";
High
Child Process

Package source references child process execution.

bin/cli.jsView on unpkg · L11
164console.log(`\x1b[34m[Process]\x1b[0m Running 'npm run ${command}'...`); L165: const proc = spawn("npm", ["run", command], { stdio: "inherit", shell: true }); L166: proc.on("exit", (code) => {
High
Shell

Package source references shell execution.

bin/cli.jsView on unpkg · L164
276try { L277: execSync("npx tsx scripts/migrate.ts", { stdio: "inherit" }); L278: console.log("\x1b[32m✔ Database migrations completed successfully.\x1b[0m");
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

bin/cli.jsView on unpkg · L276
src/lib/plugins/plugin-manager.tsView file
24const fileUrl = "file://" + absolutePath.replace(/\\/g, "/"); L25: const importer = new Function("path", "return " + "import" + "(path)"); L26: return importer(fileUrl);
Low
Eval

Package source references a known benign dynamic code generation pattern.

src/lib/plugins/plugin-manager.tsView on unpkg · L24
package.jsonView file
scripts registry_only=start
Critical
Manifest Confusion

Tarball package.json differs from the npm registry version manifest for scripts or dependency sets.

package.jsonView on unpkg

Findings

3 Critical3 High3 Medium5 Low
CriticalCritical Secretsrc/app/admin/settings/storage/page.tsx
CriticalManifest Confusionpackage.json
CriticalSecret Patternsrc/app/admin/settings/storage/page.tsx
HighChild Processbin/cli.js
HighShellbin/cli.js
HighRuntime Package Installbin/cli.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowEvalsrc/lib/plugins/plugin-manager.ts
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License