registry  /  craftdriver  /  1.0.1

craftdriver@1.0.1

Modern WebDriver automation library for NodeJS

Static Scan Results

scanned 4d ago · by rust-scanner

Static analysis flagged 14 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsEvalFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 50 file(s), 446 KB of source, external domains: 127.0.0.1, api.github.com, example.com, googlechromelabs.github.io, www.npmjs.com

Source & flagged code

6 flagged · loading source
dist/cli/index.jsView file
12*/ L13: import { spawn } from 'child_process'; L14: import { fileURLToPath } from 'url';
High
Child Process

Package source references child process execution.

dist/cli/index.jsView on unpkg · L12
12Cross-file remote execution chain: dist/cli/index.js spawns dist/lib/browser.js; helper contains network access plus dynamic code execution. L12: */ L13: import { spawn } from 'child_process'; L14: import { fileURLToPath } from 'url'; ... L27: if (parsed === null) { L28: process.stdout.write(HELP_TEXT); L29: return 0; ... L100: if (flags.headless === true) L101: process.env.HEADLESS = 'true'; L102: else if (flags.headless === false) ... L171: const dryRun = parsed.args['dry-run'] === true || parsed.args.dryRun === true; L172: const result = runInit({ flavor: flavor, cwd: process.cwd(), force, dryRun }); L173: const prefix = dryRun ? '[dry-run] ' : '';
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/cli/index.jsView on unpkg · L12
dist/lib/driverManager.jsView file
186// if the cache path contains special characters. L187: const r = spawnSync('powershell', [ L188: '-NoProfile', '-Command',
High
Shell

Package source references shell execution.

dist/lib/driverManager.jsView on unpkg · L186
19import os from 'os'; L20: import https from 'https'; L21: import { spawnSync } from 'child_process'; L22: import { fileURLToPath } from 'url'; ... L25: function cacheDir() { L26: return process.env.CRAFTDRIVER_CACHE_DIR ?? path.join(os.homedir(), '.cache', 'craftdriver'); L27: }
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/lib/driverManager.jsView on unpkg · L19
dist/lib/clock.jsView file
116// eslint-disable-next-line no-new-func L117: new Function(earliest.fn)(); L118: }
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/lib/clock.jsView on unpkg · L116
bin/craftdriver.mjsView file
23L24: const mod = await import(pathToFileURL(distEntry).href); L25: const rc = await mod.main(process.argv.slice(2));
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/craftdriver.mjsView on unpkg · L23

Findings

4 High4 Medium6 Low
HighChild Processdist/cli/index.js
HighShelldist/lib/driverManager.js
HighSame File Env Network Executiondist/lib/driverManager.js
HighCross File Remote Execution Contextdist/cli/index.js
MediumDynamic Requirebin/craftdriver.mjs
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvaldist/lib/clock.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings