registry  /  annoty-cli  /  1.0.9

annoty-cli@1.0.9

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 26 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsProtestwareUrlStrings
ManifestNo manifest risk signals triggered.
scanned 15 file(s), 891 KB of source, external domains: annoty-dash.web.app, cdn.annoty.com, example.supabase.co, github.com, mtrxqzvplymxewnpaorf.supabase.co, registry.npmjs.org, supabase.com, supabase.github.io, xyzcompany.supabase.co

Source & flagged code

18 flagged · loading source
dist/commands/groups.jsView file
3patternName = supabase_service_key severity = critical line = 3 matchedText = const SU...Fo';
Critical
Critical Secret

Package contains a critical-looking secret pattern.

dist/commands/groups.jsView on unpkg · L3
3patternName = supabase_service_key severity = critical line = 3 matchedText = const SU...Fo';
Critical
Secret Pattern

Supabase service role key (JWT) in dist/commands/groups.js

dist/commands/groups.jsView on unpkg · L3
dist/commands/update.jsView file
1import { execSync } from 'child_process'; L2: import pc from 'picocolors';
High
Child Process

Package source references child process execution.

dist/commands/update.jsView on unpkg · L1
44console.log(pc.cyan('\nUpdating annoty-cli to the latest version...')); L45: execSync('npm install -g annoty-cli@latest', { stdio: 'inherit' }); L46: console.log(pc.bold(pc.green('\n✓ Update complete! Please check the version using: annoty --version\n')));
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/commands/update.jsView on unpkg · L44
dist/commands/inspect.jsView file
111stdio: 'inherit', L112: shell: true, L113: });
High
Shell

Package source references shell execution.

dist/commands/inspect.jsView on unpkg · L111
dist/overlay.jsView file
21487function loadOtel() { L21488: if (otelModulePromise === null) otelModulePromise = import( L21489: /* webpackIgnore: true */
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/overlay.jsView on unpkg · L21487
14773patternName = generic_password severity = medium line = 14773 matchedText = * pass...rd',
Medium
Secret Pattern

Hardcoded password in dist/overlay.js

dist/overlay.jsView on unpkg · L14773
15086patternName = generic_password severity = medium line = 15086 matchedText = * { pa...d' }
Medium
Secret Pattern

Hardcoded password in dist/overlay.js

dist/overlay.jsView on unpkg · L15086
16763patternName = generic_password severity = medium line = 16763 matchedText = * pass...rd',
Medium
Secret Pattern

Hardcoded password in dist/overlay.js

dist/overlay.jsView on unpkg · L16763
16860patternName = generic_password severity = medium line = 16860 matchedText = * pass...rd',
Medium
Secret Pattern

Hardcoded password in dist/overlay.js

dist/overlay.jsView on unpkg · L16860
16874patternName = generic_password severity = medium line = 16874 matchedText = * pass...rd',
Medium
Secret Pattern

Hardcoded password in dist/overlay.js

dist/overlay.jsView on unpkg · L16874
16886patternName = generic_password severity = medium line = 16886 matchedText = * pa...rd',
Medium
Secret Pattern

Hardcoded password in dist/overlay.js

dist/overlay.jsView on unpkg · L16886
16905patternName = generic_password severity = medium line = 16905 matchedText = * pa...rd',
Medium
Secret Pattern

Hardcoded password in dist/overlay.js

dist/overlay.jsView on unpkg · L16905
16991patternName = generic_password severity = medium line = 16991 matchedText = * pass...rd',
Medium
Secret Pattern

Hardcoded password in dist/overlay.js

dist/overlay.jsView on unpkg · L16991
17087patternName = generic_password severity = medium line = 17087 matchedText = * pass...rd',
Medium
Secret Pattern

Hardcoded password in dist/overlay.js

dist/overlay.jsView on unpkg · L17087
17098patternName = generic_password severity = medium line = 17098 matchedText = * pass...rd',
Medium
Secret Pattern

Hardcoded password in dist/overlay.js

dist/overlay.jsView on unpkg · L17098
18843patternName = generic_password severity = medium line = 18843 matchedText = * pass...ord'
Medium
Secret Pattern

Hardcoded password in dist/overlay.js

dist/overlay.jsView on unpkg · L18843
18865patternName = generic_password severity = medium line = 18865 matchedText = * pass...rd',
Medium
Secret Pattern

Hardcoded password in dist/overlay.js

dist/overlay.jsView on unpkg · L18865

Findings

2 Critical3 High17 Medium4 Low
CriticalCritical Secretdist/commands/groups.js
CriticalSecret Patterndist/commands/groups.js
HighChild Processdist/commands/update.js
HighShelldist/commands/inspect.js
HighRuntime Package Installdist/commands/update.js
MediumDynamic Requiredist/overlay.js
MediumNetwork
MediumEnvironment Vars
MediumProtestware
MediumStructural Risk Force Deep Review
MediumSecret Patterndist/overlay.js
MediumSecret Patterndist/overlay.js
MediumSecret Patterndist/overlay.js
MediumSecret Patterndist/overlay.js
MediumSecret Patterndist/overlay.js
MediumSecret Patterndist/overlay.js
MediumSecret Patterndist/overlay.js
MediumSecret Patterndist/overlay.js
MediumSecret Patterndist/overlay.js
MediumSecret Patterndist/overlay.js
MediumSecret Patterndist/overlay.js
MediumSecret Patterndist/overlay.js
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings