registry  /  badgr-cli  /  1.0.45

badgr-cli@1.0.45

Badgr — run or serve GPU workloads from one command

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 9 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 55 file(s), 516 KB of source, external domains: aibadgr.com, api.aibadgr.com, api.badgr.ai, api.gpu.ai, api.test, dep-app-001.aibadgr.com, dep-existing.aibadgr.com, dep-new.aibadgr.com, dep-prod-001.aibadgr.com, dep-run-001.aibadgr.com, dep-serve-001.aibadgr.com, dep-test-001.aibadgr.com, dep-tmpl-001.aibadgr.com, dep-vllm-999.aibadgr.com, example.com, github.com, my-server.example.com

Source & flagged code

2 flagged · loading source
src/commands/billing.jsView file
1import { execSync } from 'child_process'; L2: import { requireApiKey } from '../config.js'; ... L19: function openBrowser(url) { L20: const platform = process.platform; L21: try { ... L46: console.log(chalk.dim(' Add balance: badgr billing add 10')); L47: console.log(chalk.dim(' Or visit: https://aibadgr.com/billing/top-up')); L48: }
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

src/commands/billing.jsView on unpkg · L1
src/commands/train.jsView file
matchType = previous_version_dangerous_delta matchedPackage = badgr-cli@1.0.42 matchedIdentity = npm:YmFkZ3ItY2xp:1.0.42 similarity = 0.708 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

src/commands/train.jsView on unpkg

Findings

2 High3 Medium4 Low
HighSandbox Evasion Gated Capabilitysrc/commands/billing.js
HighPrevious Version Dangerous Deltasrc/commands/train.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings