registry  /  @wevion/cli  /  1.0.2419

@wevion/cli@1.0.2419

Wevion API command-line interface — generated from the public OpenAPI spec

Static Scan Results

scanned 2d ago · by rust-scanner

Static analysis flagged 13 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 2 file(s), 47.6 KB of source, external domains: 127.0.0.1, api-stage.wevion.ai, api.wevion.ai, registry.npmjs.org

Source & flagged code

4 flagged · loading source
src/index.mjsView file
25import { dirname, join } from 'node:path' L26: import { spawn } from 'node:child_process' L27: ... L31: // ponytail: hardcoded prod default; stage via --base-url / WEVION_BASE_URL / config. L32: const DEFAULT_BASE_URL = 'https://api.wevion.ai' L33: const DEFAULT_TIMEOUT_MS = 30_000 ... L36: // ~/.config/wevion/config.json (honours XDG_CONFIG_HOME). Stores { apiKey, baseUrl }. L37: export function configPath(env = process.env, platform = process.platform) { L38: if (platform === 'win32') {
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

src/index.mjsView on unpkg · L25
25import { dirname, join } from 'node:path' L26: import { spawn } from 'node:child_process' L27: ... L31: // ponytail: hardcoded prod default; stage via --base-url / WEVION_BASE_URL / config. L32: const DEFAULT_BASE_URL = 'https://api.wevion.ai' L33: const DEFAULT_TIMEOUT_MS = 30_000 ... L36: // ~/.config/wevion/config.json (honours XDG_CONFIG_HOME). Stores { apiKey, baseUrl }. L37: export function configPath(env = process.env, platform = process.platform) { L38: if (platform === 'win32') { L39: const base = env.APPDATA || join(env.USERPROFILE || env.HOME || homedir(), 'AppData', 'Roaming') L40: return join(base, 'Wevion', 'config.json') ... L48: try {
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

src/index.mjsView on unpkg · L25
717patternName = generic_password severity = medium line = 717 matchedText = if (url....ED]'
Medium
Secret Pattern

Package contains a possible secret pattern.

src/index.mjsView on unpkg · L717
selftest.mjsView file
7import { join } from 'node:path' L8: import { spawn } from 'node:child_process' L9: import { fileURLToPath } from 'node:url'
High
Child Process

Package source references child process execution.

selftest.mjsView on unpkg · L7

Findings

4 High4 Medium5 Low
HighChild Processselftest.mjs
HighShell
HighSame File Env Network Executionsrc/index.mjs
HighSandbox Evasion Gated Capabilitysrc/index.mjs
MediumSecret Patternsrc/index.mjs
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License