registry  /  coursecode  /  0.1.54

coursecode@0.1.54

Multi-format course authoring framework with CLI tools (SCORM 2004, SCORM 1.2, cmi5, LTI 1.3)

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 15 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 207 file(s), 2.54 MB of source, external domains: adlnet.gov, api.deepgram.com, api.elevenlabs.io, api.openai.com, api.resend.com, github.com, i.pravatar.cc, img.youtube.com, interactive-examples.mdn.mozilla.net, ltsc.ieee.org, oauth2.googleapis.com, picsum.photos, player.vimeo.com, purl.imsglobal.org, texttospeech.googleapis.com, vimeo.com, w3id.org, www.adlnet.org, www.coursecodecloud.com, www.google.com, www.googleapis.com, www.imsglobal.org, www.imsproject.org, www.w3.org, www.youtube.com, your-endpoint.workers.dev, your-worker.workers.dev, youtu.be

Source & flagged code

6 flagged · loading source
bin/cli.jsView file
40// macOS/Linux: re-exec with NODE_EXTRA_CA_CERTS pointing to PEM file L41: const { spawnSync } = await import('child_process'); L42: const result = spawnSync(process.execPath, process.argv.slice(1), {
High
Child Process

Package source references child process execution.

bin/cli.jsView on unpkg · L40
lib/authoring-api.jsView file
1052env, L1053: shell: true, L1054: stdio: ['ignore', 'pipe', 'pipe']
High
Shell

Package source references shell execution.

lib/authoring-api.jsView on unpkg · L1052
1049const env = { ...process.env, LMS_FORMAT: format }; L1050: const child = spawn('npx', ['vite', 'build'], { L1051: cwd: courseRoot,
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

lib/authoring-api.jsView on unpkg · L1049
template/vite.config.jsView file
31try { L32: ({ generateManifest } = await import('coursecode/manifest')); L33: ({
Medium
Dynamic Require

Package source references dynamic require/import behavior.

template/vite.config.jsView on unpkg · L31
framework/scripts/narration-parser.jsView file
51try { L52: return JSON.parse(fs.readFileSync(cacheFile, 'utf-8')); L53: } catch {
Low
Weak Crypto

Package source references weak cryptographic algorithms.

framework/scripts/narration-parser.jsView on unpkg · L51
template/course/assets/docs/example_pdf_2.pdfView file
path = template/course/assets/docs/example_pdf_2.pdf kind = high_entropy_blob sizeBytes = 7037 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

template/course/assets/docs/example_pdf_2.pdfView on unpkg

Findings

4 High4 Medium7 Low
HighChild Processbin/cli.js
HighShelllib/authoring-api.js
HighRuntime Package Installlib/authoring-api.js
HighShips High Entropy Blobtemplate/course/assets/docs/example_pdf_2.pdf
MediumDynamic Requiretemplate/vite.config.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowWeak Cryptoframework/scripts/narration-parser.js
LowFilesystem
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings