registry  /  addashboard-cli  /  0.2.3

addashboard-cli@0.2.3

Static Scan Results

scanned 3h ago · by rust-scanner

Static analysis flagged 12 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 9 file(s), 65.6 KB of source, external domains: 127.0.0.1, accounts.google.com, macchiato.site

Source & flagged code

3 flagged · loading source
dist/commands/freee.jsView file
23const url_1 = require("url"); L24: const child_process_1 = require("child_process"); L25: const apiClient_1 = require("../lib/apiClient");
High
Child Process

Package source references child process execution.

dist/commands/freee.jsView on unpkg · L23
dist/commands/authGoogle.jsView file
6exports.runGoogleLogin = runGoogleLogin; L7: const http_1 = __importDefault(require("http")); L8: const crypto_1 = __importDefault(require("crypto")); L9: const child_process_1 = require("child_process"); L10: const axios_1 = __importDefault(require("axios")); L11: const AUTH_ENDPOINT = 'https://accounts.google.com/o/oauth2/v2/auth'; L12: const ALLOWED_HD = process.env.WEBGRAM_GOOGLE_HD || 'webgram.jp'; L13: const CALLBACK_TIMEOUT_MS = 5 * 60 * 1000; // 5 分
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/commands/authGoogle.jsView on unpkg · L6
6exports.runGoogleLogin = runGoogleLogin; L7: const http_1 = __importDefault(require("http")); L8: const crypto_1 = __importDefault(require("crypto")); L9: const child_process_1 = require("child_process"); L10: const axios_1 = __importDefault(require("axios")); L11: const AUTH_ENDPOINT = 'https://accounts.google.com/o/oauth2/v2/auth'; L12: const ALLOWED_HD = process.env.WEBGRAM_GOOGLE_HD || 'webgram.jp'; L13: const CALLBACK_TIMEOUT_MS = 5 * 60 * 1000; // 5 分 ... L24: let args; L25: if (process.platform === 'darwin') { L26: cmd = 'open'; ... L83: // PKCE + state
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/commands/authGoogle.jsView on unpkg · L6

Findings

3 High3 Medium6 Low
HighChild Processdist/commands/freee.js
HighSame File Env Network Executiondist/commands/authGoogle.js
HighSandbox Evasion Gated Capabilitydist/commands/authGoogle.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License