registry  /  fengling-box  /  1.0.6

fengling-box@1.0.6

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 11 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 61 file(s), 97.7 KB of source, external domains: api.anysearch.com, api.bilibili.com, api.duckduckgo.com, api.exa.ai, api.github.com, api.mymemory.translated.net, api.search.brave.com, api.semanticscholar.org, api.stackexchange.com, api.tavily.com, api.wolframalpha.com, baike.baidu.com, crates.io, developer.wolframalpha.com, developers.google.com, example1.com, example2.com, export.arxiv.org, hn.algolia.com, mobile.yangkeduo.com, news.ycombinator.com, old.reddit.com, pkg.go.dev, pypi.org, registry.npmjs.org, s.taobao.com, s.weibo.com, scholar.google.com, search.bilibili.com, search.cctv.com, search.jd.com, search.news.cn, searx.tiekoetter.com, so.news.cn, suggest.taobao.com, toutiao.com, translate.googleapis.com, v3.sg.media-imdb.com, weibo.com, www.36kr.com, www.baidu.com, www.bilibili.com, www.bing.com, www.cctv.com, www.cls.cn, www.douban.com, www.douyin.com, www.googleapis.com, www.huxiu.com, www.imdb.com

Source & flagged code

4 flagged · loading source
src/commands/tool.jsView file
1import chalk from 'chalk' L2: import axios from 'axios' L3: import { exec } from 'child_process' L4: import ora from 'ora' ... L12: .action((url) => { L13: const platform = process.platform L14: const cmd = platform === 'win32' ? `start "" "${url}"`
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

src/commands/tool.jsView on unpkg · L1
npm-releases/fengling-box-1.0.4.tgzView file
path = npm-releases/fengling-box-1.0.4.tgz kind = high_entropy_blob sizeBytes = 26680 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

npm-releases/fengling-box-1.0.4.tgzView on unpkg
path = npm-releases/fengling-box-1.0.4.tgz kind = compressed_blob sizeBytes = 26680 magicHex = [redacted]
Medium
Ships Compressed Blob

Package ships compressed or archive-like blobs.

npm-releases/fengling-box-1.0.4.tgzView on unpkg
path = npm-releases/fengling-box-1.0.4.tgz kind = nested_archive_needs_inspection sizeBytes = 26680 magicHex = [redacted]
Low
Nested Archive Needs Inspection

Package ships a nested archive or MCP bundle that was inventoried but not recursively analyzed.

npm-releases/fengling-box-1.0.4.tgzView on unpkg

Findings

2 High4 Medium5 Low
HighSandbox Evasion Gated Capabilitysrc/commands/tool.js
HighShips High Entropy Blobnpm-releases/fengling-box-1.0.4.tgz
MediumNetwork
MediumEnvironment Vars
MediumShips Compressed Blobnpm-releases/fengling-box-1.0.4.tgz
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNested Archive Needs Inspectionnpm-releases/fengling-box-1.0.4.tgz