registry  /  coderefiner  /  1.0.7

coderefiner@1.0.7

Cursor skill for frontend performance optimization — install with npm and use /coderefiner in chat

Static Scan Results

scanned 3h ago · by rust-scanner

Static analysis flagged 16 finding(s) at 97.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; source matched previously finalized malicious package; routed for review

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 10 file(s), 23.9 KB of source, external domains: gitlab.com, registry.npmjs.org

Source & flagged code

8 flagged · loading source
package.jsonView file
scripts.postinstall = node install.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node install.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
lib/mcp.mjsView file
2import path from 'node:path'; L3: import { execSync } from 'node:child_process'; L4: import { globalMcpPath } from './paths.mjs';
High
Child Process

Package source references child process execution.

lib/mcp.mjsView on unpkg · L2
2import path from 'node:path'; L3: import { execSync } from 'node:child_process'; L4: import { globalMcpPath } from './paths.mjs'; ... L6: const SERVER_KEY = 'chrome-devtools'; L7: const NPM_INSTALL_CMD = 'npm install -g chrome-devtools-mcp --registry=https://registry.npmjs.org/'; L8:
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

lib/mcp.mjsView on unpkg · L2
matchType = normalized_sha256 matchedPackage = resuggestor@1.0.1 matchedPath = lib/mcp.mjs matchedIdentity = npm:cmVzdWdnZXN0b3I:1.0.1 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

lib/mcp.mjsView on unpkg
templates/.cursor/hooks/coderefiner-post-canvas-write.shView file
path = templates/.cursor/hooks/coderefiner-post-canvas-write.sh kind = payload_in_excluded_dir sizeBytes = 842 magicHex = [redacted]
High
Payload In Excluded Dir

Package hides binary, compressed, or executable-looking payloads in test/fixture/hidden paths.

templates/.cursor/hooks/coderefiner-post-canvas-write.shView on unpkg
path = templates/.cursor/hooks/coderefiner-post-canvas-write.sh kind = build_helper sizeBytes = 842 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

templates/.cursor/hooks/coderefiner-post-canvas-write.shView on unpkg
lib/paths.mjsView file
matchType = normalized_sha256 matchedPackage = resuggestor@1.0.1 matchedPath = lib/paths.mjs matchedIdentity = npm:cmVzdWdnZXN0b3I:1.0.1 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

lib/paths.mjsView on unpkg

Findings

7 High4 Medium5 Low
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processlib/mcp.mjs
HighShell
HighRuntime Package Installlib/mcp.mjs
HighPayload In Excluded Dirtemplates/.cursor/hooks/coderefiner-post-canvas-write.sh
HighKnown Malware Source Similaritylib/mcp.mjs
HighKnown Malware Source Similaritylib/paths.mjs
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumEnvironment Vars
MediumShips Build Helpertemplates/.cursor/hooks/coderefiner-post-canvas-write.sh
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings