registry  /  @zapier/zapier-sdk-cli  /  0.61.3

@zapier/zapier-sdk-cli@0.61.3

Command line interface for Zapier SDK

Static Scan Results

scanned 8d ago · by rust-scanner

Static analysis flagged 12 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 11 file(s), 1.15 MB of source, external domains: docs.zapier.com, hooks.zapier.com, zapier.com

Source & flagged code

5 flagged · loading source
dist/experimental.mjsView file
25import 'is-installed-globally'; L26: import { execSync, spawn } from 'child_process'; L27: import Handlebars from 'handlebars';
High
Child Process

Package source references child process execution.

dist/experimental.mjsView on unpkg · L25
3807stdio: "inherit", L3808: shell: process.platform === "win32" ? "cmd.exe" : "/bin/sh" L3809: });
High
Shell

Package source references shell execution.

dist/experimental.mjsView on unpkg · L3807
4286function createNdjsonCallback() { L4287: return (message) => new Promise((resolve4, reject) => { L4288: process.stdout.write(JSON.stringify(message) + "\n", (err) => { L4289: if (err) reject(err); ... L4296: return new Promise((resolve4, reject) => { L4297: const child = spawn(command, args, { L4298: shell,
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/experimental.mjsView on unpkg · L4286
25import 'is-installed-globally'; L26: import { execSync, spawn } from 'child_process'; L27: import Handlebars from 'handlebars'; ... L94: try { L95: parsed = JSON.parse(raw); L96: } catch { ... L133: } L134: var DEFAULT_AUTH_BASE_URL = "https://zapier.com"; L135: var config = null; ... L299: this.code = "ZAPIER_CLI_USER_CANCELLATION"; L300: this.exitCode = 0; L301: }
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/experimental.mjsView on unpkg · L25
dist/login.cjsView file
2L3: var jwt = require('jsonwebtoken'); L4: var crossKeychain = require('cross-keychain');
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/login.cjsView on unpkg · L2

Findings

3 High3 Medium6 Low
HighChild Processdist/experimental.mjs
HighShelldist/experimental.mjs
HighCommand Output Exfiltrationdist/experimental.mjs
MediumDynamic Requiredist/login.cjs
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowWeak Cryptodist/experimental.mjs
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License