registry  /  autokap  /  2.0.2

autokap@2.0.2

AI-powered CLI tool for capturing clean screenshots of websites

Static Scan Results

scanned 3h ago · by rust-scanner

Static analysis flagged 14 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 95 file(s), 1.64 MB of source, external domains: app.example.com, autokap.app, eu.i.posthog.com, example.com, ffmpeg.org, github.com, nodejs.org, openrouter.ai, registry.npmjs.org, www.google.com, www.w3.org

Source & flagged code

6 flagged · loading source
dist/openrouter-tts.jsView file
13* **Pure module** — no Node-only imports beyond `node:fs` / `node:os` / L14: * `node:path` / `node:child_process` (used only for duration probing). Safe L15: * to import from both the CLI and the Next.js server runtime.
High
Child Process

Package source references child process execution.

dist/openrouter-tts.jsView on unpkg · L13
dist/cookie-dismiss.jsView file
187// eslint-disable-next-line no-new-func L188: const isCookieConsentContainer = new Function(`return (${predicateSource})`)(); L189: // Find all visible buttons and links
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/cookie-dismiss.jsView on unpkg · L187
dist/capture-variant-state.jsView file
1import { createHash } from "crypto"; L2: import { inferCapturePageIdentity } from "./capture-page-identity.js";
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/capture-variant-state.jsView on unpkg · L1
dist/cli-updater.jsView file
17// against the new binary. L18: import { spawn } from 'node:child_process'; L19: import fs from 'node:fs/promises'; L20: import https from 'node:https'; L21: import path from 'node:path'; ... L32: function isInteractive() { L33: return Boolean(process.stdout.isTTY && process.stdin.isTTY && !process.env.CI); L34: }
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/cli-updater.jsView on unpkg · L17
dist/posthog.jsView file
4// Stable anonymous ID derived from machine hostname — no PII collected L5: const machineId = createHash('sha256').update(hostname()).digest('hex').slice(0, 16); L6: export const DISTINCT_ID = `cli-${machineId}`; ... L10: if (!_client) { L11: _client = new PostHog(process.env.POSTHOG_API_KEY ?? '', { L12: host: process.env.POSTHOG_HOST ?? 'https://eu.i.posthog.com', L13: flushAt: 1,
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/posthog.jsView on unpkg · L4
dist/playwright-installer.jsView file
11* L12: * Cross-platform: uses `npx playwright install chromium` (works on macOS, L13: * Linux, Windows). Output is streamed inherit so the user sees the ... L15: */ L16: import { spawn } from 'node:child_process'; L17: import { existsSync } from 'node:fs';
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/playwright-installer.jsView on unpkg · L11

Findings

5 High3 Medium6 Low
HighChild Processdist/openrouter-tts.js
HighShell
HighSame File Env Network Executiondist/cli-updater.js
HighSandbox Evasion Gated Capabilitydist/posthog.js
HighRuntime Package Installdist/playwright-installer.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowEvaldist/cookie-dismiss.js
LowWeak Cryptodist/capture-variant-state.js
LowFilesystem
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings