registry  /  artor-cli  /  0.17.0

artor-cli@0.17.0

⚠ Under review

Artor CLI — version, publish, and preview your web prototypes.

Static Scan Results

scanned 1h ago · by rust-scanner

Static analysis flagged 11 finding(s) at 86.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 1 file(s), 230 KB of source, external domains: claude.com, dash.artor.app, github.com, nodejs.org, registry.npmjs.org

Source & flagged code

3 flagged · loading source
dist/index.jsView file
36try { L37: return JSON.stringify(redactForLog(JSON.parse(body))); L38: } catch { ... L104: function registryUrl(pkg) { L105: return `https://registry.npmjs.org/${pkg.replace("/", "%2F")}/latest`; L106: } ... L123: try { L124: const raw = readFileSync(new URL("../package.json", import.meta.url), "utf8"); L125: return JSON.parse(raw); ... L150: const body = typeof init2.body === "string" ? redactBody(init2.body) : void 0; L151: process.stderr.write(`\x1B[2m\u2192 ${method} ${url}\x1B[0m L152: `);
Critical
Credential Exfiltration

Source appears to send environment or credential material to an external endpoint.

dist/index.jsView on unpkg · L36
36Trigger-reachable chain: manifest.bin -> dist/index.js L36: try { L37: return JSON.stringify(redactForLog(JSON.parse(body))); L38: } catch { ... L104: function registryUrl(pkg) { L105: return `https://registry.npmjs.org/${pkg.replace("/", "%2F")}/latest`; L106: } ... L123: try { L124: const raw = readFileSync(new URL("../package.json", import.meta.url), "utf8"); L125: return JSON.parse(raw); ... L150: const body = typeof init2.body === "string" ? redactBody(init2.body) : void 0; L151: process.stderr.write(`\x1B[2m\u2192 ${method} ${url}\x1B[0m L152: `);
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/index.jsView on unpkg · L36
692L693: await import(pathToFileURL(resolve(here, ${JSON.stringify(spec.buildPath)})).href); L694: `;
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/index.jsView on unpkg · L692

Findings

2 Critical4 Medium5 Low
CriticalCredential Exfiltrationdist/index.js
CriticalTrigger Reachable Dangerous Capabilitydist/index.js
MediumDynamic Requiredist/index.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License