registry  /  @vonzio/cli  /  0.2.2

@vonzio/cli@0.2.2

Terminal client for Vonzio — device-flow auth to any instance, run agents, resume and continue workspace chats.

Static Scan Results

scanned 1h ago · by rust-scanner

Static analysis flagged 13 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 138 KB of source, external domains: app.vonz.io, registry.npmjs.org

Source & flagged code

5 flagged · loading source
dist/index.jsView file
3// src/index.ts L4: import { spawnSync } from "child_process"; L5: import { Command, Help } from "commander";
High
Child Process

Package source references child process execution.

dist/index.jsView on unpkg · L3
2370const f = join4(tmpdir2(), `vz-clip-${randomUUID3()}.png`); L2371: run2("powershell", [ L2372: "-NoProfile",
High
Shell

Package source references shell execution.

dist/index.jsView on unpkg · L2370
217// src/update-notifier.ts L218: import { spawn } from "child_process"; L219: ... L223: import { mkdirSync, readFileSync as readFileSync2, writeFileSync, chmodSync } from "fs"; L224: var DEFAULT_BASE_URL = "https://app.vonz.io"; L225: function configDir() { L226: const xdg = process.env.XDG_CONFIG_HOME; L227: return xdg ? join(xdg, "vonzio") : join(homedir(), ".config", "vonzio");
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/index.jsView on unpkg · L217
3// src/index.ts L4: import { spawnSync } from "child_process"; L5: import { Command, Help } from "commander"; ... L118: function renderWelcome(o) { L119: const W = Math.min(72, Math.max(56, (process.stdout.columns ?? 80) - 2)); L120: const inner = W - 6; ... L223: import { mkdirSync, readFileSync as readFileSync2, writeFileSync, chmodSync } from "fs"; L224: var DEFAULT_BASE_URL = "https://app.vonz.io"; L225: function configDir() { L226: const xdg = process.env.XDG_CONFIG_HOME; L227: return xdg ? join(xdg, "vonzio") : join(homedir(), ".config", "vonzio"); L228: }
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/index.jsView on unpkg · L3
345process.stderr.write(` L346: \u2191 vonzio ${current} \u2192 ${latest} update: vz upgrade (or npm i -g @vonzio/cli@latest) L347: `); ... L351: try { L352: spawn(process.execPath, [entryPath, "__check-update"], { detached: true, stdio: "ignore" }).unref(); L353: } catch {
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/index.jsView on unpkg · L345

Findings

5 High3 Medium5 Low
HighChild Processdist/index.js
HighShelldist/index.js
HighSame File Env Network Executiondist/index.js
HighSandbox Evasion Gated Capabilitydist/index.js
HighRuntime Package Installdist/index.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings