registry  /  @warmhub/cli  /  0.63.0

@warmhub/cli@0.63.0

The wh CLI for WarmHub — create repos, commit and query data, and compound knowledge with your AI agents.

Static Scan Results

scanned 5d ago · by rust-scanner

Static analysis flagged 10 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 1 file(s), 1.68 MB of source, external domains: api.warmhub.ai, api.workos.com, docs.warmhub.ai, example.com, github.com, hooks.example.com, jimmy.warting.se, registry.npmjs.org, veritas-worker.warmhub.com, warmhub.ai

Source & flagged code

2 flagged · loading source
dist/wh.jsView file
6L7: // ../../node_modules/.bun/undici@6.27.0/node_modules/undici/lib/core/symbols.js L8: var require_symbols = __commonJS((exports, module) => { ... L30: kBodyUsed: Symbol("used"), L31: kBody: Symbol("abstracted request body"), L32: kRunning: Symbol("running"), ... L585: } L586: const code = this.code = key.charCodeAt(index); L587: if (code > 127) { ... L1984: var SessionCache; L1985: if (global.FinalizationRegistry && !(process.env.NODE_V8_COVERAGE || process.env.UNDICI_NO_FG)) { L1986: SessionCache = class WeakSessionCache {
High
Obfuscated Payload Loader

Source contains an obfuscator-style string-array loader that reconstructs and executes hidden code.

dist/wh.jsView on unpkg · L6
23691} L23692: eval(input, pos) { L23693: switch (this.type) {
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/wh.jsView on unpkg · L23691

Findings

1 High3 Medium6 Low
HighObfuscated Payload Loaderdist/wh.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowEvaldist/wh.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License