registry  /  @zibby/cli  /  0.8.11

@zibby/cli@0.8.11

⚠ Under review

Zibby CLI - Test automation generator and runner

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 17 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsMinifiedUrlStrings
Manifest
NoLicense
scanned 88 file(s), 927 KB of source, external domains: aistudio.google.com, api-prod.zibby.app, api.ipify.org, console.anthropic.com, cursor.com, dl.zibby.app, docs.aws.amazon.com, docs.zibby.app, docs.zibby.dev, example.com, github.com, logs-stream.zibby.app, logs.workflows.zibby.app, platform.openai.com, s3.amazonaws.com, studio.zibby.dev, www.anthropic.com, x.com, zibby.dev, zibby.studio

Source & flagged code

9 flagged · loading source
dist/auth/ensure-auth.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @zibby/cli@0.8.5 matchedIdentity = npm:QHppYmJ5L2NsaQ:0.8.5 similarity = 0.807 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/auth/ensure-auth.jsView on unpkg
1import{existsSync as Q,readFileSync as oo}from"fs";import{join as E}from"path";import U from"chalk";import{confirm as eo}from"@inquirer/prompts";import t from"chalk";import w from"... L2: \u{1F510} Initiating login...
High
Child Process

Package source references child process execution.

dist/auth/ensure-auth.jsView on unpkg · L1
1import{existsSync as Q,readFileSync as oo}from"fs";import{join as E}from"path";import U from"chalk";import{confirm as eo}from"@inquirer/prompts";import t from"chalk";import w from"... L2: \u{1F510} Initiating login...
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/auth/ensure-auth.jsView on unpkg · L1
1import{existsSync as Q,readFileSync as oo}from"fs";import{join as E}from"path";import U from"chalk";import{confirm as eo}from"@inquirer/prompts";import t from"chalk";import w from"... L2: \u{1F510} Initiating login... L3: `));let o=W();if(o.loggedIn){console.log(t.green("\u2705 Already logged in!")),console.log(t.gray(`User: ${o.user.email}`)),console.log(t.gray(`Name: ${o.user.name} L4: `));let{createInterface:e}=await import("readline"),n=e({input:process.stdin,output:process.stdout});return new Promise((r,a)=>{let i=()=>{n.close(),process.stdin.isTTY&&process.st... L5: ... L12: \u26A0\uFE0F Login cancelled L13: `)),process.exit(0)};process.on("SIGINT",S);try{for(;b<F&&!k;){await X(D),b++;let c=await fetch(`${o}/cli/login/poll`,{method:"POST",headers:{"Content-Type":"application/json"},bod... L14: `)),{success:!0,loggedIn:!0,user:s.user,token:s.token}}if(s.status==="denied")throw g.fail("Authorization denied"),new Error("User denied authorization")}throw g.fail("Login timeou...
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/auth/ensure-auth.jsView on unpkg · L1
dist/config/config-loader.jsView file
1import{existsSync as t}from"fs";import{join as n}from"path";import{pathToFileURL as e}from"url";async function s(i){let r=n(i,".zibby.config.mjs");if(!t(r))throw new Error(".zibby....
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/config/config-loader.jsView on unpkg · L1
dist/commands/workflows/run.jsView file
1#!/usr/bin/env node L2: var jt=Object.defineProperty;var je=(e=>typeof require<"u"?require:typeof Proxy<"u"?new Proxy(e,{get:(t,r)=>(typeof require<"u"?require:t)[r]}):e)(function(e){if(typeof require<"u"... L3: `);y=m.pop()||"";for(let I of m){let D=I.trim();D&&a.push(D)}}return d(h,g,w)},c(`[Middleware] Started capturing logs for ${n}`);let U=!1,R=setInterval(()=>{if(U)return;let h=a.joi... ... L50: }); L51: `}function Je(e,t){if(!e)return{written:!1,path:null,reason:"no workspaceDir"};for(let n of["js","mjs","ts"]){let s=He(e,`playwright.config.${n}`);if(Mt(s))return{written:!1,path:s... L52: `);te=ke.pop()||"";for(let Nt of ke){let Ne=Nt.replace(/\r/g,"").trimEnd();Ne&&Ce(Ne)}}),k.on("end",()=>{let re=te.replace(/\r/g,"").trimEnd();re&&Ce(re)})};Le(ee.stdout,k=>console...
High
Credential Exfiltration

Source combines credential-like environment material and outbound requests; review data flow before blocking.

dist/commands/workflows/run.jsView on unpkg · L1
1#!/usr/bin/env node L2: var jt=Object.defineProperty;var je=(e=>typeof require<"u"?require:typeof Proxy<"u"?new Proxy(e,{get:(t,r)=>(typeof require<"u"?require:t)[r]}):e)(function(e){if(typeof require<"u"... L3: `);y=m.pop()||"";for(let I of m){let D=I.trim();D&&a.push(D)}}return d(h,g,w)},c(`[Middleware] Started capturing logs for ${n}`);let U=!1,R=setInterval(()=>{if(U)return;let h=a.joi... ... L50: }); L51: `}function Je(e,t){if(!e)return{written:!1,path:null,reason:"no workspaceDir"};for(let n of["js","mjs","ts"]){let s=He(e,`playwright.config.${n}`);if(Mt(s))return{written:!1,path:s... L52: `);te=ke.pop()||"";for(let Nt of ke){let Ne=Nt.replace(/\r/g,"").trimEnd();Ne&&Ce(Ne)}}),k.on("end",()=>{let re=te.replace(/\r/g,"").trimEnd();re&&Ce(re)})};Le(ee.stdout,k=>console...
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/commands/workflows/run.jsView on unpkg · L1
dist/commands/workflows/generate.jsView file
1var uo=Object.defineProperty;var H=(t,e)=>()=>(t&&(e=t(t=0)),e);var G=(t,e)=>{for(var o in e)uo(t,o,{get:e[o],enumerable:!0})};import{existsSync as fo,readFileSync as yo,writeFileS... L2: `,"utf-8")}var me,Qe=H(()=>{me={cursor:{envVar:"CURSOR_API_KEY",label:"Cursor API Key",url:"https://cursor.com/settings"},claude:{envVar:"ANTHROPIC_API_KEY",label:"Anthropic API Ke... L3: Missing template name. L4: `)),console.log(P.gray(" Usage: zibby template add <name>")),console.log(P.gray(` See available templates: zibby template list L5: `)),process.exit(1));let o=e.cwd||process.cwd(),r=ee(o,".zibby");ye(r)||(console.log(P.yellow(` L6: No .zibby/ directory in ${o}. ... L9: `)),console.log(P.gray(` See available templates: zibby template list L10: `)),process.exit(1)}console.log(""),console.log(P.green(` \u2713 Added template ${P.bold(n.template.name)}`)),console.log(P.gray(` ${n.copied.length} files written to ${r}/`));... L11: `);return r===t?{content:t,action:"skipped"}:{content:r,action:"updated"}}let o=t.endsWith(` ... L14: L15: `;return{content:t+o+e,action:"updated"}}var Ae,it=H(()=>{Ae=/<!--\s*BEGIN ZIBBY[^>]*-->[\s\S]*?<!--\s*END ZIBBY[^>]*-->\s*/i});var ct={};G(ct,{ap
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/commands/workflows/generate.jsView on unpkg · L1
dist/commands/run.jsView file
1var De=Object.defineProperty;var je=(t,o)=>()=>(t&&(o=t(t=0)),o);var Ye=(t,o)=>{for(var s in o)De(t,s,{get:o[s],enumerable:!0})};var xe={};Ye(xe,{_resetLoaderCacheForTests:()=>lo,l... L2: `,"utf8")}function _e(t,o,s,l={}){let i=Number(o),a=Number(s);if(!Number.isFinite(i)||i<=0||!Number.isFinite(a)||a<=0)return;let n=ye(l),y=te(t,n,i);if(!fe(y))return;let d=me(t,n,i... L3: `,"utf8")}import{readFileSync as O,existsSync as w,statSync as Te,mkdirSync as Ue,writeFileSync as Se,appendFileSync as go,rmSync as $e}from"fs";import{resolve as B,join as $,dirna... L4: [CLI_FATAL] ${new Date().toISOString()} ... L25: Plan: ${c.storageInfo.planId} L26: Upgrade at: https://studio.zibby.dev/billing`)}}throw new Error(c.error||"Failed to initiate upload")}let{executionId:F,uploadUrls:R,isOrphan:ke,projectId:Q}=await Z.json();v.text=... L27: ${"\u2501".repeat(50)}`)),console.log(e.white(`Execution ID: ${e.cyan(F)}`));let ue=se();console.log(ke?e.white(`Location: ${e.yellow("History tab")}`):e.white(`Collection: ${e.cya...
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/commands/run.jsView on unpkg · L1

Findings

1 Critical5 High5 Medium6 Low
CriticalPrevious Version Dangerous Deltadist/auth/ensure-auth.js
HighChild Processdist/auth/ensure-auth.js
HighSame File Env Network Executiondist/auth/ensure-auth.js
HighCredential Exfiltrationdist/commands/workflows/run.js
HighCommand Output Exfiltrationdist/auth/ensure-auth.js
HighSandbox Evasion Gated Capabilitydist/commands/run.js
MediumDynamic Requiredist/config/config-loader.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/commands/workflows/generate.js
MediumStructural Risk Force Deep Review
LowScripts Present
LowWeak Cryptodist/commands/workflows/run.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License