registry  /  @wayai/cli  /  0.3.81

@wayai/cli@0.3.81

WayAI CLI — sync hub configuration between local files and the platform

Static Scan Results

scanned 2d ago · by rust-scanner

Static analysis flagged 10 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsEvalFilesystemNativeBindingsNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 802 KB of source, external domains: 127.0.0.1, api.wayai.pro, github.com, raw.githubusercontent.com, sprightly-comic-51.authkit.app

Source & flagged code

3 flagged · loading source
dist/index.jsView file
35// over-redacting benign substrings (e.g. `gateway_config`); the charset is L36: // base64url (no `.`) so a trailing sentence period stays outside the match. L37: [/\bway_[A-Za-z0-9_-]{8,}/g, "way_[REDACTED]"], L38: // wst_ single-use WebSocket tickets (same opaque base64url format). L39: [/\bwst_[A-Za-z0-9_-]{8,}/g, "wst_[REDACTED]"], ... L84: try { L85: const __dirname3 = dirname(fileURLToPath(import.meta.url)); L86: const pkg2 = JSON.parse(readFileSync(join(__dirname3, "..", "..", "package.json"), "utf-8")); L87: return pkg2.version || "0.0.0"; ... L100: if (initialized) return; L101: if (process.env.WAYAI_TELEMETRY_DISABLED === "1") return; L102: const dsn = process.env.SENTRY_DSN || HARDCODED_DSN;
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/index.jsView on unpkg · L35
8758package = @wayai/cli; repositoryIdentity = platform; dependency = @napi-rs/keyring L8758: try { L8759: const mod = await import("@napi-rs/keyring"); L8760: const Entry = mod.Entry;
High
Copied Package Dependency Bridge

Package metadata claims a different repository identity while copied source loads a runtime dependency bridge.

dist/index.jsView on unpkg · L8758
11111if (c.states_deleted > 0) parts.push(`${c.states_deleted} state(s) deleted`); L11112: if (c.evals_created > 0) parts.push(`${c.evals_created} eval(s) created`); L11113: if (c.evals_updated > 0) parts.push(`${c.evals_updated} eval(s) updated`);
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/index.jsView on unpkg · L11111

Findings

2 High3 Medium5 Low
HighSandbox Evasion Gated Capabilitydist/index.js
HighCopied Package Dependency Bridgedist/index.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowEvaldist/index.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings