registry  /  asyar-sdk  /  4.3.0

asyar-sdk@4.3.0

SDK for Asyar extensions

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 13 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
Manifest
CopyleftLicense
scanned 173 file(s), 633 KB of source, external domains: api.github.com, asyar-thumb.localhost, asyar.org, example.com, github.com, www.w3.org

Source & flagged code

4 flagged · loading source
dist/cli/lib/auth.jsView file
46const http = __importStar(require("http")); L47: const child_process_1 = require("child_process"); L48: const chalk_1 = __importDefault(require("chalk"));
High
Child Process

Package source references child process execution.

dist/cli/lib/auth.jsView on unpkg · L46
45exports.getOrAuthorizeGitHub = getOrAuthorizeGitHub; L46: const http = __importStar(require("http")); L47: const child_process_1 = require("child_process"); L48: const chalk_1 = __importDefault(require("chalk")); ... L54: const CLI_PORT = 7123; L55: exports.STORE_URL = (_a = process.env.ASYAR_STORE_URL) !== null && _a !== void 0 ? _a : 'https://asyar.org'; L56: function openBrowser(rawUrl) {
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/cli/lib/auth.jsView on unpkg · L45
45exports.getOrAuthorizeGitHub = getOrAuthorizeGitHub; L46: const http = __importStar(require("http")); L47: const child_process_1 = require("child_process"); L48: const chalk_1 = __importDefault(require("chalk")); ... L54: const CLI_PORT = 7123; L55: exports.STORE_URL = (_a = process.env.ASYAR_STORE_URL) !== null && _a !== void 0 ? _a : 'https://asyar.org'; L56: function openBrowser(rawUrl) { ... L69: const url = parsed.href; L70: if (process.platform === 'darwin') { L71: (0, child_process_1.execFile)('open', [url]); ... L100: res.writeHead(400); L101: res.end('Missing token or username');
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/cli/lib/auth.jsView on unpkg · L45
dist/cli/index.jsView file
3Object.defineProperty(exports, "__esModule", { value: true }); L4: const commander_1 = require("commander"); L5: const fs_1 = require("fs");
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/cli/index.jsView on unpkg · L3

Findings

3 High4 Medium6 Low
HighChild Processdist/cli/lib/auth.js
HighSame File Env Network Executiondist/cli/lib/auth.js
HighSandbox Evasion Gated Capabilitydist/cli/lib/auth.js
MediumDynamic Requiredist/cli/index.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowCopyleft License