registry  /  @volter-ai/portable.dev  /  3.4.0

@volter-ai/portable.dev@3.4.0

Portable — local-first launcher / tunnel-router (installable CLI)

Static Scan Results

scanned 9d ago · by rust-scanner

Static analysis flagged 9 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 412 KB of source, external domains: 127.0.0.1, accounts.google.com, api.apify.com, api.fly.io, api.github.com, api.slack.com, app.portable-dev.com, app.portable.dev, bun.sh, cdn.simpleicons.org, claude.com, console.apify.com, console.aws.amazon.com, developers.cloudflare.com, developers.google.com, docs.apify.com, docs.github.com, fly.io, github.com, modal.com, modal.portable-dev.com, modal.portable.dev, oauth2.googleapis.com, playwright.dev, portable-dev.com, portable.dev, slack.com, www.googleapis.com
Oversized source lightweight scan
server.js29.2 MB file, sampled 256 KB
FilesystemNetworkChildProcessEnvironmentVarsCryptoShellHighEntropyStringsUrlStringsaccounts.google.comapi.apify.comapi.fly.ioapi.github.comapi.slack.comapp.portable-dev.comapp.portable.devcdn.simpleicons.orgconsole.apify.comconsole.aws.amazon.comdevelopers.google.comdocs.apify.comdocs.github.comfly.iogithub.commodal.commodal.portable-dev.commodal.portable.devoauth2.googleapis.complaywright.devportable-dev.comportable.devslack.comwww.googleapis.com

Source & flagged code

3 flagged · loading source
cli.jsView file
25function resolveDataDir(override) { L26: const fromEnv = override || process.env.PORTABLE_DATA_DIR || process.env.DATA_DIR || (process.env.XDG_DATA_HOME ? path.join(process.env.XDG_DATA_HOME, "portable") : undefined) || p... L27: if (fromEnv.startsWith("~")) { ... L41: ENVELOPE_PREFIX, L42: iv.toString("base64"), L43: tag.toString("base64"), ... L191: }; L192: this.write(next); L193: return next; ... L314: }); L315: import { spawnSync } from "child_process"; L316: function readProcessAncestors(startPid, depth = 3) {
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

cli.jsView on unpkg · L25
server.jsView file
path = server.js kind = oversized_source_file sizeBytes = 30633742 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

server.jsView on unpkg
package.jsonView file
scripts registry_only=start
Critical
Manifest Confusion

Tarball package.json differs from the npm registry version manifest for scripts or dependency sets.

package.jsonView on unpkg

Findings

1 Critical2 High3 Medium3 Low
CriticalManifest Confusionpackage.json
HighSandbox Evasion Gated Capabilitycli.js
HighOversized Source Fileserver.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings