registry  /  docspress  /  0.1.0

docspress@0.1.0

Sync Markdown docs to WordPress Pages as Gutenberg content from GitHub Actions.

Static Scan Results

scanned 1h ago · by rust-scanner

Static analysis flagged 15 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 12 file(s), 1.94 MB of source, external domains: developer.mozilla.org, docs.github.com, feross.org, fetch.spec.whatwg.org, github.com, infra.spec.whatwg.org, mimesniff.spec.whatwg.org, nodejs.org, public-api.wordpress.com, stackoverflow.com, streams.spec.whatwg.org, tools.ietf.org, url.spec.whatwg.org, w3c.github.io, www.rfc-editor.org, www.unicode.org

Source & flagged code

7 flagged · loading source
dist/index.jsView file
42476var external_events_ = __nccwpck_require__(4434); L42477: ;// CONCATENATED MODULE: external "child_process" L42478: const external_child_process_namespaceObject = __WEBPACK_EXTERNAL_createRequire(import.meta.url)("child_process");
High
Child Process

Package source references child process execution.

dist/index.jsView on unpkg · L42476
2062} L2063: // https://github.com/typescript-eslint/typescript-eslint/issues/60 L2064: // eslint-disable-next-line no-redeclare ... L2848: if (index === filepaths.length - 1) { L2849: stream.end(); L2850: } ... L2961: this.concurrency = this._getValue(this._options.concurrency, CPU_COUNT); L2962: this.cwd = this._getValue(this._options.cwd, process.cwd()); L2963: this.deep = this._getValue(this._options.deep, Infinity); ... L3521: L3522: let start = String.fromCharCode(a); L3523: if (a === b) return start;
High
Obfuscated Payload Loader

Source contains an obfuscator-style string-array loader that reconstructs and executes hidden code.

dist/index.jsView on unpkg · L2062
2062Cross-file remote execution chain: dist/index.js spawns dist/sourcemap-register.cjs; helper contains network access plus dynamic code execution. L2062: } L2063: // https://github.com/typescript-eslint/typescript-eslint/issues/60 L2064: // eslint-disable-next-line no-redeclare ... L2848: if (index === filepaths.length - 1) { L2849: stream.end(); L2850: } ... L2961: this.concurrency = this._getValue(this._options.concurrency, CPU_COUNT); L2962: this.cwd = this._getValue(this._options.cwd, process.cwd()); L2963: this.deep = this._getValue(this._options.deep, Infinity); ... L3521: L3522: let start = String.fromCharCode(a); L3523: if (a === b) return start;
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/index.jsView on unpkg · L2062
4018} L4019: return eval(str) || {}; L4020: } catch (err) {
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/index.jsView on unpkg · L4018
2062} L2063: // https://github.com/typescript-eslint/typescript-eslint/issues/60 L2064: // eslint-disable-next-line no-redeclare ... L2848: if (index === filepaths.length - 1) { L2849: stream.end(); L2850: } ... L2961: this.concurrency = this._getValue(this._options.concurrency, CPU_COUNT); L2962: this.cwd = this._getValue(this._options.cwd, process.cwd()); L2963: this.deep = this._getValue(this._options.deep, Infinity); ... L3521: L3522: let start = String.fromCharCode(a); L3523: if (a === b) return start;
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/index.jsView on unpkg · L2062
dist/sourcemap-register.cjsView file
1(()=>{var e={296:e=>{var r=Object.prototype.toString;var n=typeof Buffer!=="undefined"&&typeof Buffer.alloc==="function"&&typeof Buffer.allocUnsafe==="function"&&typeof Buffer.from...
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/sourcemap-register.cjsView on unpkg · L1
scripts/create-wordpress-token.mjsView file
1#!/usr/bin/env node L2: import { spawn } from "node:child_process"; L3: import crypto from "node:crypto"; L4: import http from "node:http"; L5: ... L133: if (error) { L134: response.end("Authorization failed. You can close this tab."); L135: reject(new Error(error)); ... L186: }); L187: const text = await response.text(); L188: const data = text ? JSON.parse(text) : {}; ... L197: function openBrowser(url) {
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

scripts/create-wordpress-token.mjsView on unpkg · L1

Findings

5 High4 Medium6 Low
HighChild Processdist/index.js
HighShell
HighSandbox Evasion Gated Capabilityscripts/create-wordpress-token.mjs
HighObfuscated Payload Loaderdist/index.js
HighCross File Remote Execution Contextdist/index.js
MediumDynamic Requiredist/sourcemap-register.cjs
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowEvaldist/index.js
LowWeak Cryptodist/index.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings