registry  /  @withfudge/design  /  0.7.1

@withfudge/design@0.7.1

Local Fudge design CLI and MCP server for querying saved pins with Prolog.

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 15 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
Manifest
NoLicense
scanned 32 file(s), 809 KB of source, external domains: 127.0.0.1, api.fontofweb.com, api.withfudge.com, chromewebstore.google.com, crawl.fontofweb.com, design.withfudge.com, fonts.gstatic.com, pin.fontofweb.com, pub-3a14aed695744ee3ae7b28553e18cf81.r2.dev, react.dev, search.fontofweb.com, www.google.com, www.w3.org

Source & flagged code

5 flagged · loading source
dist/ops/auth.jsView file
4import { join } from "node:path"; L5: import { execFile } from "node:child_process"; L6: import { promisify } from "node:util";
High
Child Process

Package source references child process execution.

dist/ops/auth.jsView on unpkg · L4
dist/ops/package-info.jsView file
1import { createRequire } from "node:module"; L2: const require = createRequire(import.meta.url); L3: const manifest = require("../../package.json");
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/ops/package-info.jsView on unpkg · L1
dist/ops/login.jsView file
107const args = process.platform === "win32" ? ["/c", "start", "", url] : [url]; L108: const child = spawn(command, args, { stdio: "ignore", detached: true }); L109: child.unref(); ... L118: function apiBase(value) { L119: return (value || process.env.FUDGE_API_BASE || "https://api.withfudge.com").replace(/\/+$/, ""); L120: }
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/ops/login.jsView on unpkg · L107
1import { createHash, randomBytes } from "node:crypto"; L2: import { spawn } from "node:child_process"; L3: import { createServer } from "node:http"; L4: import { writeSession } from "./auth.js"; ... L6: export async function browserLoopbackLogin(options = {}) { L7: const state = randomBase64url(24); L8: const codeVerifier = randomBase64url(48); ... L39: headers: { "content-type": "application/json" }, L40: body: JSON.stringify({ code, code_verifier: codeVerifier }), L41: }); ... L101: function openInBrowser(url) { L102: const command = process.platform === "darwin"
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/ops/login.jsView on unpkg · L1
recipes/contrast-ratio.plView file
path = recipes/contrast-ratio.pl kind = build_helper sizeBytes = 2850 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

recipes/contrast-ratio.plView on unpkg

Findings

4 High5 Medium6 Low
HighChild Processdist/ops/auth.js
HighShell
HighSame File Env Network Executiondist/ops/login.js
HighSandbox Evasion Gated Capabilitydist/ops/login.js
MediumDynamic Requiredist/ops/package-info.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperrecipes/contrast-ratio.pl
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings
LowNo License