registry  /  @weactive8/8contentpro  /  0.1.7

@weactive8/8contentpro@0.1.7

ICP-driven content marketing as a CLI. Runs the WeActive8 Blog Protocol on your own Claude (BYOC).

Static Scan Results

scanned 4h ago · by rust-scanner

Static analysis flagged 13 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 34 file(s), 227 KB of source, external domains: 8contentpro.com, 8cp-upload.wa8.us, 8cp.wa8.us, api.sapling.ai, go.timesolv.com, schema.org, weactive8.com, yourcompany.com

Source & flagged code

4 flagged · loading source
dist/ink/App.jsView file
6import { mkdirSync } from "node:fs"; L7: import { exec } from "node:child_process"; L8: import { InputBox, Menu, Spinner, StatusBar, Header, Picker } from "./components.js";
High
Child Process

Package source references child process execution.

dist/ink/App.jsView on unpkg · L6
dist/attach.jsView file
1import { exec } from "node:child_process"; L2: import { startSpinner, updateSpinner, stopSpinner } from "./ui/spinner.js"; ... L6: * chooses a file, and it comes back as an https URL that Claude fetches during L7: * generation. See server/upload.mjs (https://8cp-upload.wa8.us). L8: */ L9: const UPLOAD_BASE = process.env.CONTENTPRO_UPLOAD_URL?.trim() || "https://8cp-upload.wa8.us"; L10: export function openBrowser(url) {
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/attach.jsView on unpkg · L1
1import { exec } from "node:child_process"; L2: import { startSpinner, updateSpinner, stopSpinner } from "./ui/spinner.js"; ... L6: * chooses a file, and it comes back as an https URL that Claude fetches during L7: * generation. See server/upload.mjs (https://8cp-upload.wa8.us). L8: */ L9: const UPLOAD_BASE = process.env.CONTENTPRO_UPLOAD_URL?.trim() || "https://8cp-upload.wa8.us"; L10: export function openBrowser(url) { L11: const cmd = process.platform === "darwin" ? "open" : process.platform === "win32" ? 'start ""' : "xdg-open"; L12: exec(`${cmd} "${url}"`, () => { }); // best-effort; the URL is also printed for manual open ... L19: return null; L20: return (await res.json()); L21: }
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/attach.jsView on unpkg · L1
dist/output/seo.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @weactive8/8contentpro@0.1.4 matchedIdentity = npm:QHdlYWN0aXZlOC84Y29udGVudHBybw:0.1.4 similarity = 0.848 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/output/seo.jsView on unpkg

Findings

5 High3 Medium5 Low
HighChild Processdist/ink/App.js
HighShell
HighSame File Env Network Executiondist/attach.js
HighSandbox Evasion Gated Capabilitydist/attach.js
HighPrevious Version Dangerous Deltadist/output/seo.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License