registry  /  @whatalo/cli-kit  /  1.1.5

@whatalo/cli-kit@1.1.5

Shared CLI utilities for Whatalo plugin development tools

Static Scan Results

scanned 4h ago · by rust-scanner

Static analysis flagged 8 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 16 file(s), 186 KB of source, external domains: developers.cloudflare.com, github.com, registry.npmjs.org

Source & flagged code

2 flagged · loading source
dist/config/index.cjsView file
45// src/config/toml.ts L46: var import_promises = require("fs/promises"); L47: var import_node_path = __toESM(require("path"), 1);
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/config/index.cjsView on unpkg · L45
dist/tunnel/index.cjsView file
38// src/tunnel/cloudflared.ts L39: var import_node_child_process = require("child_process"); L40: var import_node_fs = require("fs"); ... L43: var import_node_os = __toESM(require("os"), 1); L44: var import_node_https = __toESM(require("https"), 1); L45: ... L68: function getBinDir() { L69: return import_node_path.default.join(import_node_os.default.homedir(), ".whatalo", "bin"); L70: } ... L74: function findOnSystemPath() { L75: const cmd = process.platform === "win32" ? "where" : "which"; L76: const result = (0, import_node_child_process.spawnSync)(cmd, ["cloudflared"], { encoding: "utf-8" });
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/tunnel/index.cjsView on unpkg · L38

Findings

1 High4 Medium3 Low
HighSandbox Evasion Gated Capabilitydist/tunnel/index.cjs
MediumDynamic Requiredist/config/index.cjs
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowUrl Strings