registry  /  figura-cli  /  0.10.2

figura-cli@0.10.2

Command-line client for the Figura visualization SaaS

Static Scan Results

scanned 8d ago · by rust-scanner

Static analysis flagged 13 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsEvalFilesystemNetwork
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 897 KB of source, external domains: api.figura.so, figura.so, github.com, json-schema.org, raw.githubusercontent.com, registry.npmjs.org

Source & flagged code

4 flagged · loading source
dist/index.jsView file
18`;let v=Rd.default(p);p.write(`${m}\r L19: `);let{statusCode:d,buffered:t}=yield v;if(d===200){if(i.once("socket",Ad),a.secureEndpoint){Aa("Upgrading socket connection to TLS");let Z=a.servername||a.host;return jm.default.c... L20: `).forEach(function(o){if(p=o.indexOf(":"),n=o.substring(0,p).trim().toLowerCase(),c=o.substring(p+1).trim(),!n||a[n]&&Bx[n])return;if(n==="set-cookie")if(a[n])a[n].push(c);else a[...
High
Child Process

Package source references child process execution.

dist/index.jsView on unpkg · L18
7*/var Yn=no(),Ox=S("path").extname,co=/^\s*([^;\s]*)(?:;|\s|$)/,Px=/^text\//i;yx.charset=po;yx.charsets={lookup:po};yx.contentType=Rx;yx.extension=Ax;yx.extensions=Object.create(nu... L8: `;_.DEFAULT_CONTENT_TYPE="application/octet-stream";_.prototype.append=function(i,a,n){if(n=n||{},typeof n==="string")n={filename:n};var c=Vc.prototype.append.bind(this);if(typeof ... L9: `).join(` ... L18: `;let v=Rd.default(p);p.write(`${m}\r L19: `);let{statusCode:d,buffered:t}=yield v;if(d===200){if(i.once("socket",Ad),a.secureEndpoint){Aa("Upgrading socket connection to TLS");let Z=a.servername||a.host;return jm.default.c... L20: `).forEach(function(o){if(p=o.indexOf(":"),n=o.substring(0,p).trim().toLowerCase(),c=o.substring(p+1).trim(),!n||a[n]&&Bx[n])return;if(n==="set-cookie")if(a[n])a[n].push(c);else a[...
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/index.jsView on unpkg · L7
7*/var Yn=no(),Ox=S("path").extname,co=/^\s*([^;\s]*)(?:;|\s|$)/,Px=/^text\//i;yx.charset=po;yx.charsets={lookup:po};yx.contentType=Rx;yx.extension=Ax;yx.extensions=Object.create(nu... L8: `;_.DEFAULT_CONTENT_TYPE="application/octet-stream";_.prototype.append=function(i,a,n){if(n=n||{},typeof n==="string")n={filename:n};var c=Vc.prototype.append.bind(this);if(typeof ... L9: `).join(` ... L18: `;let v=Rd.default(p);p.write(`${m}\r L19: `);let{statusCode:d,buffered:t}=yield v;if(d===200){if(i.once("socket",Ad),a.secureEndpoint){Aa("Upgrading socket connection to TLS");let Z=a.servername||a.host;return jm.default.c... L20: `).forEach(function(o){if(p=o.indexOf(":"),n=o.substring(0,p).trim().toLowerCase(),c=o.substring(p+1).trim(),!n||a[n]&&Bx[n])return;if(n==="set-cookie")if(a[n])a[n].push(c);else a[...
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/index.jsView on unpkg · L7
dist/mcp.jsView file
34`,b+1),G=J===-1?"":X.slice(J+1);if(!String(W.stack).endsWith(G))W.stack+=` L35: `+X}}catch(b){}}throw W}}_request(x,Q){if(typeof x==="string")Q=Q||{},Q.url=x;else Q=x||{};Q=p1(this.defaults,Q);let{transitional:W,paramsSerializer:Y,headers:X}=Q;if(W!==void 0)x6... L36: `).filter((b)=>b),Y=Math.min(...W.map((b)=>b.length-b.trimStart().length)),X=W.map((b)=>b.slice(Y)).map((b)=>" ".repeat(this.indent*2)+b);for(let b of X)this.content.push(b)}compil...
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/mcp.jsView on unpkg · L34

Findings

3 High3 Medium7 Low
HighChild Processdist/index.js
HighSame File Env Network Executiondist/index.js
HighCommand Output Exfiltrationdist/index.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvaldist/mcp.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings