registry  /  @xberg-io/xberg-cli  /  1.0.0-rc.18

@xberg-io/xberg-cli@1.0.0-rc.18

CLI proxy for xberg — downloads and runs the native xberg binary from GitHub releases.

Static Scan Results

scanned 2d ago · by rust-scanner

Static analysis flagged 7 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNativeBindingsNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 14.0 KB of source, external domains: api.github.com

Source & flagged code

1 flagged · loading source
install.jsView file
3import path from "node:path"; L4: import https from "node:https"; L5: import crypto from "node:crypto"; L6: import { fileURLToPath, pathToFileURL } from "node:url"; L7: import { spawnSync, execFileSync } from "node:child_process"; L8: ... L73: const buf = await httpGetBuffer(url, { headers: { Accept: "application/vnd.github+json" } }); L74: return JSON.parse(buf.toString("utf8")); L75: } ... L127: const triple = targetTriple(); L128: const pinned = process.env[VERSION_ENV]; L129: const apiUrl = pinned
High
Install Named Payload File

Install-named source file stages remote content through filesystem writes and execution.

install.jsView on unpkg · L3

Findings

1 High3 Medium3 Low
HighInstall Named Payload Fileinstall.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings