registry  /  @zapier/zapier-sdk-cli  /  0.65.7

@zapier/zapier-sdk-cli@0.65.7

⚠ Under review

Command line interface for Zapier SDK

Static Scan Results

scanned 3h ago · by rust-scanner

Static analysis flagged 13 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 11 file(s), 1.23 MB of source, external domains: docs.zapier.com, hooks.zapier.com, zapier.com

Source & flagged code

6 flagged · loading source
dist/experimental.mjsView file
25import 'is-installed-globally'; L26: import { execSync, spawn } from 'child_process'; L27: import Handlebars from 'handlebars';
High
Child Process

Package source references child process execution.

dist/experimental.mjsView on unpkg · L25
4168stdio: "inherit", L4169: shell: process.platform === "win32" ? "cmd.exe" : "/bin/sh" L4170: });
High
Shell

Package source references shell execution.

dist/experimental.mjsView on unpkg · L4168
4652function createNdjsonCallback() { L4653: return (message) => new Promise((resolve4, reject) => { L4654: process.stdout.write(JSON.stringify(message) + "\n", (err) => { L4655: if (err) reject(err); ... L4662: return new Promise((resolve4, reject) => { L4663: const child = spawn(command, args, { L4664: shell,
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/experimental.mjsView on unpkg · L4652
25import 'is-installed-globally'; L26: import { execSync, spawn } from 'child_process'; L27: import Handlebars from 'handlebars'; ... L94: try { L95: parsed = JSON.parse(raw); L96: } catch { ... L133: } L134: var DEFAULT_AUTH_BASE_URL = "https://zapier.com"; L135: var config = null; ... L299: this.code = "ZAPIER_CLI_USER_CANCELLATION"; L300: this.exitCode = 0; L301: }
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/experimental.mjsView on unpkg · L25
dist/login.cjsView file
2L3: var jwt = require('jsonwebtoken'); L4: var crossKeychain = require('cross-keychain');
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/login.cjsView on unpkg · L2
dist/cli.cjsView file
matchType = previous_version_dangerous_delta matchedPackage = @zapier/zapier-sdk-cli@0.62.0 matchedIdentity = npm:QHphcGllci96YXBpZXItc2RrLWNsaQ:0.62.0 similarity = 0.545 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/cli.cjsView on unpkg

Findings

1 Critical3 High3 Medium6 Low
CriticalPrevious Version Dangerous Deltadist/cli.cjs
HighChild Processdist/experimental.mjs
HighShelldist/experimental.mjs
HighCommand Output Exfiltrationdist/experimental.mjs
MediumDynamic Requiredist/login.cjs
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowWeak Cryptodist/experimental.mjs
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License