registry  /  chron-mcp  /  0.1.30

chron-mcp@0.1.30

Audit-grade timestamped logs for every AI conversation

Static Scan Results

scanned 4h ago · by rust-scanner

Static analysis flagged 18 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 1 file(s), 932 KB of source, external domains: claiim.io, cloud.us.humio.com, github.com, json-schema.org, login.microsoftonline.com, monitor.azure.com, nodejs.org, orm.drizzle.team, your.splunkcloud.com
Oversized source lightweight scan
dist/index.js3.06 MB file, sampled 256 KB
EnvironmentVarsCryptoHighEntropyStringsUrlStringsgithub.comjson-schema.org

Source & flagged code

8 flagged · loading source
dist/cli/index.jsView file
2830"use strict"; L2831: var childProcess = require("child_process"); L2832: var { isLinux, getReport } = require_process();
High
Child Process

Package source references child process execution.

dist/cli/index.jsView on unpkg · L2830
569* ### Useful links L570: * https://www.postgresql.org/docs/current/sql-createindex.html L571: * ... L777: } finally { L778: span.end(); L779: } ... L1644: } L1645: var textDecoder; L1646: var init_utils = __esm({ ... L2574: cache: { L2575: values: ["shared", "private"], L2576: update: (key, value) => connectionQueryParams.push(`${key}=${value}`)
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/cli/index.jsView on unpkg · L569
19142try { L19143: (0, import_child_process3.execSync)("npx chron-mcp --version 2>/dev/null", { timeout: 8e3 }); L19144: return true;
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/cli/index.jsView on unpkg · L19142
19732patternName = generic_password severity = medium line = 19732 matchedText = password...al",
Medium
Secret Pattern

Package contains a possible secret pattern.

dist/cli/index.jsView on unpkg · L19732
11}; L12: var __commonJS = (cb, mod) => function __require() { L13: return mod || (0, cb[__getOwnPropNames(cb)[0]])((mod = { exports: {} }).exports, mod), mod.exports;
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/cli/index.jsView on unpkg · L11
569* ### Useful links L570: * https://www.postgresql.org/docs/current/sql-createindex.html L571: * ... L777: } finally { L778: span.end(); L779: } ... L1644: } L1645: var textDecoder; L1646: var init_utils = __esm({ ... L2574: cache: { L2575: values: ["shared", "private"], L2576: update: (key, value) => connectionQueryParams.push(`${key}=${value}`)
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/cli/index.jsView on unpkg · L569
dist/index.jsView file
path = dist/index.js kind = oversized_source_file sizeBytes = 3205785 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/index.jsView on unpkg
path = dist/index.js kind = oversized_cli_entrypoint sizeBytes = 3205785 magicHex = [redacted]
Medium
Oversized Cli Entrypoint

Package contains an oversized executable-looking CLI entrypoint.

dist/index.jsView on unpkg

Findings

5 High6 Medium7 Low
HighChild Processdist/cli/index.js
HighShell
HighSandbox Evasion Gated Capabilitydist/cli/index.js
HighRuntime Package Installdist/cli/index.js
HighOversized Source Filedist/index.js
MediumSecret Patterndist/cli/index.js
MediumDynamic Requiredist/cli/index.js
MediumNetwork
MediumEnvironment Vars
MediumOversized Cli Entrypointdist/index.js
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowWeak Cryptodist/cli/index.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License