registry  /  @withfudge/design  /  0.1.2

@withfudge/design@0.1.2

Local Fudge design CLI and MCP server for querying saved pins with Prolog.

Static Scan Results

scanned 10d ago · by rust-scanner

Static analysis flagged 12 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
UrlStrings
Manifest
NoLicense
scanned 24 file(s), 129 KB of source, external domains: 127.0.0.1, api.fontofweb.com, api.withfudge.com, design.withfudge.com, pub-3a14aed695744ee3ae7b28553e18cf81.r2.dev, search.fontofweb.com

Source & flagged code

4 flagged · loading source
dist/ops/auth.jsView file
4import { join } from "node:path"; L5: import { execFile } from "node:child_process"; L6: import { promisify } from "node:util";
High
Child Process

Package source references child process execution.

dist/ops/auth.jsView on unpkg · L4
dist/ops/package-info.jsView file
1import { createRequire } from "node:module"; L2: const require = createRequire(import.meta.url); L3: const manifest = require("../../package.json");
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/ops/package-info.jsView on unpkg · L1
dist/ops/login.jsView file
107const args = process.platform === "win32" ? ["/c", "start", "", url] : [url]; L108: const child = spawn(command, args, { stdio: "ignore", detached: true }); L109: child.unref(); ... L118: function apiBase(value) { L119: return (value || process.env.FUDGE_API_BASE || "https://api.withfudge.com").replace(/\/+$/, ""); L120: }
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/ops/login.jsView on unpkg · L107
1import { createHash, randomBytes } from "node:crypto"; L2: import { spawn } from "node:child_process"; L3: import { createServer } from "node:http"; L4: import { writeSession } from "./auth.js"; ... L6: export async function browserLoopbackLogin(options = {}) { L7: const state = randomBase64url(24); L8: const codeVerifier = randomBase64url(48); ... L39: headers: { "content-type": "application/json" }, L40: body: JSON.stringify({ code, code_verifier: codeVerifier }), L41: }); ... L101: function openInBrowser(url) { L102: const command = process.platform === "darwin"
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/ops/login.jsView on unpkg · L1

Findings

4 High4 Medium4 Low
HighChild Processdist/ops/auth.js
HighShell
HighSame File Env Network Executiondist/ops/login.js
HighSandbox Evasion Gated Capabilitydist/ops/login.js
MediumDynamic Requiredist/ops/package-info.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowUrl Strings
LowNo License