registry  /  @vm0/cli  /  9.223.7

@vm0/cli@9.223.7

CLI application

Static Scan Results

scanned 42m ago · by rust-scanner

Static analysis flagged 29 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsTelemetryUrlStrings
Manifest
NoLicense
scanned 595 file(s), 8.23 MB of source, external domains: 7i30hpv4bo9ud5mhianq.pika.art, a.klaviyo.com, account-d.docusign.com, account.docusign.com, account.mapbox.com, actions.zapier.com, admin.explorium.ai, admin.typeform.com, aeroapi.flightaware.com, ahrefs.com, ai-gateway.vercel.sh, aistudio.google.com, amplitude.com, analytics.eu.amplitude.com, analyticsadmin.googleapis.com, analyticsdata.googleapis.com, api-cloud.browserstack.com, api-dashboard.search.brave.com, api-inference.huggingface.co, api-ipv4.porkbun.com, api.adzuna.com, api.agentmail.to, api.agora.io, api.ahrefs.com, api.airtable.com, api.amadeus.com, api.anthropic.com, api.apify.com, api.apollo.io, api.ashbyhq.com, api.atlascloud.ai, api.atlassian.com, api.attio.com, api.aviationstack.com, api.axiom.co, api.bfl.ai, api.bitrefill.com, api.bland.ai, api.box.com, api.brevo.com, api.brex.com, api.brightdata.com, api.browser-use.com, api.browserbase.com, api.browserstack.com, api.bubblemaps.io, api.buffer.com, api.bufferapp.com, api.builtwith.com, api.cal.com

Source & flagged code

21 flagged · loading source
doctor-UYMLO2DE.jsView file
4685patternName = stripe_live_secret severity = critical line = 4685 matchedText = "FAL_TOK...eLo"
Critical
Critical Secret

Package contains a critical-looking secret pattern.

doctor-UYMLO2DE.jsView on unpkg · L4685
4685patternName = stripe_live_secret severity = critical line = 4685 matchedText = "FAL_TOK...eLo"
Critical
Secret Pattern

Stripe live secret key in doctor-UYMLO2DE.js

doctor-UYMLO2DE.jsView on unpkg · L4685
4806patternName = github_oauth severity = critical line = 4806 matchedText = "GH_TOKE...f0",
Critical
Secret Pattern

GitHub OAuth access token in doctor-UYMLO2DE.js

doctor-UYMLO2DE.jsView on unpkg · L4806
4807patternName = github_oauth severity = critical line = 4807 matchedText = "GITHUB_...f0",
Critical
Secret Pattern

GitHub OAuth access token in doctor-UYMLO2DE.js

doctor-UYMLO2DE.jsView on unpkg · L4807
4808patternName = github_oauth severity = critical line = 4808 matchedText = "GITHUB_...Of0"
Critical
Secret Pattern

GitHub OAuth access token in doctor-UYMLO2DE.js

doctor-UYMLO2DE.jsView on unpkg · L4808
5724patternName = supabase_service_key severity = critical line = 5724 matchedText = "MONDAY_...oc",
Critical
Secret Pattern

Supabase service role key (JWT) in doctor-UYMLO2DE.js

doctor-UYMLO2DE.jsView on unpkg · L5724
5725patternName = supabase_service_key severity = critical line = 5725 matchedText = "MONDAY_...Loc"
Critical
Secret Pattern

Supabase service role key (JWT) in doctor-UYMLO2DE.js

doctor-UYMLO2DE.jsView on unpkg · L5725
6473patternName = sendgrid_api_key severity = critical line = 6473 matchedText = "SENDGRI...oca"
Critical
Secret Pattern

SendGrid API key in doctor-UYMLO2DE.js

doctor-UYMLO2DE.jsView on unpkg · L6473
6576patternName = slack_bot_token severity = critical line = 6576 matchedText = "SLACK_A...af",
Critical
Secret Pattern

Slack bot token in doctor-UYMLO2DE.js

doctor-UYMLO2DE.jsView on unpkg · L6576
6577patternName = slack_bot_token severity = critical line = 6577 matchedText = "SLACK_T...Saf"
Critical
Secret Pattern

Slack bot token in doctor-UYMLO2DE.js

doctor-UYMLO2DE.jsView on unpkg · L6577
6603patternName = supabase_service_key severity = critical line = 6603 matchedText = "SLOCK_A...ff",
Critical
Secret Pattern

Supabase service role key (JWT) in doctor-UYMLO2DE.js

doctor-UYMLO2DE.jsView on unpkg · L6603
6605patternName = supabase_service_key severity = critical line = 6605 matchedText = "SLOCK_T...0ff"
Critical
Secret Pattern

Supabase service role key (JWT) in doctor-UYMLO2DE.js

doctor-UYMLO2DE.jsView on unpkg · L6605
6759patternName = stripe_live_secret severity = critical line = 6759 matchedText = "STRIPE_...ff",
Critical
Secret Pattern

Stripe live secret key in doctor-UYMLO2DE.js

doctor-UYMLO2DE.jsView on unpkg · L6759
6760patternName = stripe_live_secret severity = critical line = 6760 matchedText = "STRIPE_...off"
Critical
Secret Pattern

Stripe live secret key in doctor-UYMLO2DE.js

doctor-UYMLO2DE.jsView on unpkg · L6760
6942patternName = supabase_service_key severity = critical line = 6942 matchedText = "TWENTY_...eLo"
Critical
Secret Pattern

Supabase service role key (JWT) in doctor-UYMLO2DE.js

doctor-UYMLO2DE.jsView on unpkg · L6942
7068patternName = stripe_live_secret severity = critical line = 7068 matchedText = "WORKOS_...fee"
Critical
Secret Pattern

Stripe live secret key in doctor-UYMLO2DE.js

doctor-UYMLO2DE.jsView on unpkg · L7068
4255patternName = stripe_test_secret severity = high line = 4255 matchedText = "CLERK_T...eSa"
High
Secret Pattern

Stripe test secret key in doctor-UYMLO2DE.js

doctor-UYMLO2DE.jsView on unpkg · L4255
4792patternName = google_api_key severity = high line = 4792 matchedText = "GEMINI_...ffe"
High
Secret Pattern

Google API key in doctor-UYMLO2DE.js

doctor-UYMLO2DE.jsView on unpkg · L4792
esm-SRH3OR6L.jsView file
127break; L128: baggage[keyPair.key] = keyPair.metadata ? { value: keyPair.value, metadata: keyPair.metadata } : { value: keyPair.value }; L129: count2++; ... L378: function getNumberFromEnv(key) { L379: const raw = process.env[key]; L380: if (raw == null || raw.trim() === "") { ... L4436: for (let i = 0; i < namespace.length; i++) { L4437: hash = (hash << 5) - hash + namespace.charCodeAt(i); L4438: hash |= 0; ... L4697: let m; L4698: return typeof document !== "undefined" && document.documentElement && document.documentElement.style && document.documentElement.style.WebkitAppearance || // Is firebug? http://sta... L4699: typeof window !== "undefined" && window.console && (window.console.firebug || window.console.exception && window.console.table) || // Is firefox >= v31?
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

esm-SRH3OR6L.jsView on unpkg · L127
24683patternName = generic_password severity = medium line = 24683 matchedText = newUrl.p...d%";
Medium
Secret Pattern

Hardcoded password in esm-SRH3OR6L.js

esm-SRH3OR6L.jsView on unpkg · L24683
index.jsView file
122}; L123: const bypassSecret = process.env.VERCEL_AUTOMATION_BYPASS_SECRET; L124: if (bypassSecret) { ... L129: async function requestDeviceCode(apiUrl) { L130: const response = await fetch(`${apiUrl}/api/cli/auth/device`, { L131: method: "POST", L132: headers: buildHeaders(), L133: body: JSON.stringify({}) L134: }); ... L140: } L141: return response.json(); L142: }
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

index.jsView on unpkg · L122

Findings

16 Critical3 High5 Medium5 Low
CriticalCritical Secretdoctor-UYMLO2DE.js
CriticalSecret Patterndoctor-UYMLO2DE.js
CriticalSecret Patterndoctor-UYMLO2DE.js
CriticalSecret Patterndoctor-UYMLO2DE.js
CriticalSecret Patterndoctor-UYMLO2DE.js
CriticalSecret Patterndoctor-UYMLO2DE.js
CriticalSecret Patterndoctor-UYMLO2DE.js
CriticalSecret Patterndoctor-UYMLO2DE.js
CriticalSecret Patterndoctor-UYMLO2DE.js
CriticalSecret Patterndoctor-UYMLO2DE.js
CriticalSecret Patterndoctor-UYMLO2DE.js
CriticalSecret Patterndoctor-UYMLO2DE.js
CriticalSecret Patterndoctor-UYMLO2DE.js
CriticalSecret Patterndoctor-UYMLO2DE.js
CriticalSecret Patterndoctor-UYMLO2DE.js
CriticalSecret Patterndoctor-UYMLO2DE.js
HighSandbox Evasion Gated Capabilityindex.js
HighSecret Patterndoctor-UYMLO2DE.js
HighSecret Patterndoctor-UYMLO2DE.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistenceesm-SRH3OR6L.js
MediumStructural Risk Force Deep Review
MediumSecret Patternesm-SRH3OR6L.js
LowFilesystem
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings
LowNo License