registry  /  @webhook-co/cli  /  0.2.0

@webhook-co/cli@0.2.0

⚠ Under review

Capture, inspect, and replay webhooks from your terminal — the webhook.co CLI (wbhk).

Static Scan Results

scanned 14d ago · by rust-scanner

Static analysis flagged 14 finding(s) at 86.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsEvalFilesystemNetwork
Supply chain
HighEntropyStringsMinifiedObfuscatedTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 664 KB of source, external domains: 127.0.0.1, api.ebay.com, api.github.com, api.sandbox.ebay.com, api.webhook.co, app.webhook.co, auth.webhook.co, ctfe.sigstore.dev, developer.constantcontact.com, fulcio.sigstore.dev, github.com, json-schema.org, log2025-1.rekor.sigstore.dev, rekor.sigstore.dev, telemetry.wbhk.my, timestamp.sigstore.dev, token.actions.githubusercontent.com

Source & flagged code

6 flagged · loading source
dist/bin.jsView file
1#!/usr/bin/env node L2: import{createRequire as aL}from"node:module";var nL=Object.create;var{getPrototypeOf:cL,defineProperty:wJ,getOwnPropertyNames:iL}=Object;var dL=Object.prototype.hasOwnProperty;func... L3: `).forEach((X)=>{if(X.match(MC)||X.match(IC))return;U+=X}),Buffer.from(U,"base64")}function KC($,U="CERTIFICATE"){let J=$.toString("base64").match(/.{1,64}/g)||"";return[`-----BEGI... ... L7: `,Ck=/\u2014 (\S+) (\S+)\n/g;function xk($,U){let X=$.inclusionProof,J=Pq.fromString(X.checkpoint.envelope),Q=eX.fromString(J.note);if(!kk(J,U))throw new QQ.VerificationError({code... L8: `);if(U.length<3)throw new QQ.VerificationError({code:"TLOG_INCLUSION_PROOF_ERROR",message:"too few lines in checkpoint header"});let X=U[0],J=BigInt(U[1]),Q=Buffer.from(U[2],"base... L9: `).join(` ... L11: `)}function gE($){if($)process.env.DEBUG=$;else delete process.env.DEBUG}function bE(){return process.env.DEBUG}function fE($){$.inspectOpts={};let U=Object.keys(VP.inspectOpts);fo... L12: `).map((U)=>U.trim()).join(" ")};IP.O=function($){return this.inspectOpts.colors=this.useColors,QJ.inspect($,this.inspectOpts)}});var Cq=S((Ie,Sq)=>{if(typeof process>"u"||process.... L13: `).join(`\r ... L39
Critical
Remote Asset Decode Execute

Source fetches a remote non-code asset, decodes its contents, and dynamically executes the decoded payload.

dist/bin.jsView on unpkg · L1
27Trigger-reachable chain: manifest.bin -> dist/bin.js L27: `:`${I} L28: `),Y)return Y(q);return b$.CommandRunError}return b$.Success}var n0=Symbol("RouteMap"),BQ=Symbol("Command");function W2($,U,X){let J=[...X],Q=[],v,G=$,Y,z=!0,Z=!1,q=!1;return{next:... L29: `:`${V} ... L39: `)+` L40: `},getDefaultCommand:()=>{return G},getOtherAliasesForInput:(z,Z)=>{if(U){if(z===U)return{original:[""],"convert-camel-to-kebab":[""]};if(z==="")return{original:[U],"convert-camel-... L41: `)}var N1=($)=>(U,X,J,Q)=>{let v=J?{...J,async:!1}:{async:!1},G=U._zod.run({value:X,issues:[]},v);if(G instanceof Promise)throw new L4;if(G.issues.length){let Y=new(Q?.Err??$)(G.is... L42: `).filter((v)=>v),J=Math.min(...X.map((v)=>v.length-v.trimStart().length)),Q=X.map((v)=>v.slice(J)).map((v)=>" ".repeat(this.indent*2)+v);for(let v of Q)this.content.push(v)}compil... L43: `))}}var i9={major:4,minor:4,patch:3};var m=H("$ZodType",($,U)=>{var X;$??($={}),$._zod.def=U,$._zod.bag=$._zod.bag||{},$._zod.version=i9;let J=[...$._zod.def.checks??[]];if($._zod... L44: if (${R}.issues.length) {
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/bin.jsView on unpkg · L27
278scopes: ${I} L279: `)},parameters:{flags:{...u}},docs:{brief:"show the authenticated org, scopes, and key handle"}});var Wj=f$({routes:{list:UV,get:QV,create:XV,delete:JV,rotate:vV,"add-provider-secr... L280: `).some((X)=>X.indexOf("(https.js:")!==-1||X.indexOf("node:https:")!==-1)}incrementSockets($){if(this.maxSockets===1/0&&this.maxTotalSockets===1/0)return null;if(!this.sockets[$])t...
High
Child Process

Package source references child process execution.

dist/bin.jsView on unpkg · L278
39`)+` L40: `},getDefaultCommand:()=>{return G},getOtherAliasesForInput:(z,Z)=>{if(U){if(z===U)return{original:[""],"convert-camel-to-kebab":[""]};if(z==="")return{original:[U],"convert-camel-... L41: `)}var N1=($)=>(U,X,J,Q)=>{let v=J?{...J,async:!1}:{async:!1},G=U._zod.run({value:X,issues:[]},v);if(G instanceof Promise)throw new L4;if(G.issues.length){let Y=new(Q?.Err??$)(G.is...
High
Eval

Package source references dynamic code evaluation.

dist/bin.jsView on unpkg · L39
263`+(U?`anonymous: which commands, cli version, OS/arch — never your data, args, or credentials. L264: `:""))}var dR=E({async func(){await _K(this,!0)},parameters:{flags:{...u}},docs:{brief:"enable anonymous usage telemetry"}}),lR=E({async func(){await _K(this,!1)},parameters:{flags... L265: `:`telemetry is ${Q?"ON":"OFF"}. L266: `+(Q?"opt out anytime: `wbhk telemetry off` (or set WBHK_TELEMETRY=0 / DO_NOT_TRACK=1).\n":"enable with `wbhk telemetry on`.\n"))},parameters:{flags:{...u}},docs:{brief:"show wheth... L267: `).map((G)=>/^([0-9a-fA-F]+)\s+\*?(.+?)\s*$/.exec(G.trim())).find((G)=>G!==null&&G[2]===X);if(J===null||J===void 0)throw Error(`no checksum entry for ${X} — refusing to upgrade`);l... L268: `:`${Y.join(` ... L278: scopes: ${I} L279: `)},parameters:{flags:{...u}},docs:{brief:"show the authenticated org, scopes, and key handle"}});var Wj=f$({routes:{list:UV,get:QV,create:XV,delete:JV,rotate:vV,"add-provider-secr... L280: `).some((X)=>X.indexOf("(https.js:")!==-1||X.indexOf("node:https:")!==-1)}incrementSockets($){if(this.maxSockets===1/0&&this.maxTotalSockets===1/0)return null;if(!this.sockets[$])t...
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/bin.jsView on unpkg · L263
27`:`${I} L28: `),Y)return Y(q);return b$.CommandRunError}return b$.Success}var n0=Symbol("RouteMap"),BQ=Symbol("Command");function W2($,U,X){let J=[...X],Q=[],v,G=$,Y,z=!0,Z=!1,q=!1;return{next:... L29: `:`${V} ... L39: `)+` L40: `},getDefaultCommand:()=>{return G},getOtherAliasesForInput:(z,Z)=>{if(U){if(z===U)return{original:[""],"convert-camel-to-kebab":[""]};if(z==="")return{original:[U],"convert-camel-... L41: `)}var N1=($)=>(U,X,J,Q)=>{let v=J?{...J,async:!1}:{async:!1},G=U._zod.run({value:X,issues:[]},v);if(G instanceof Promise)throw new L4;if(G.issues.length){let Y=new(Q?.Err??$)(G.is... L42: `).filter((v)=>v),J=Math.min(...X.map((v)=>v.length-v.trimStart().length)),Q=X.map((v)=>v.slice(J)).map((v)=>" ".repeat(this.indent*2)+v);for(let v of Q)this.content.push(v)}compil... L43: `))}}var i9={major:4,minor:4,patch:3};var m=H("$ZodType",($,U)=>{var X;$??($={}),$._zod.def=U,$._zod.bag=$._zod.bag||{},$._zod.version=i9;let J=[...$._zod.def.checks??[]];if($._zod... L44: if (${R}.issues.length) {
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/bin.jsView on unpkg · L27

Findings

2 Critical5 High3 Medium4 Low
CriticalRemote Asset Decode Executedist/bin.js
CriticalTrigger Reachable Dangerous Capabilitydist/bin.js
HighChild Processdist/bin.js
HighEvaldist/bin.js
HighSame File Env Network Executiondist/bin.js
HighCommand Output Exfiltrationdist/bin.js
HighObfuscated
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowFilesystem
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings