registry  /  futurex-cli  /  0.3.0

futurex-cli@0.3.0

FutureX — terminal-native AI coding agent (DeepSeek-backed). A streaming, repo-aware REPL plus an agentic tool loop with permission gates.

Static Scan Results

scanned 3h ago · by rust-scanner

Static analysis flagged 13 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 1 file(s), 274 KB of source, external domains: admin.futurim.org, api.anthropic.com, api.deepseek.com, api.futurim.org, api.npmjs.org, api.openai.com, axios-http.com, docs.nestjs.com, expressjs.com, fastify.dev, futurim.org, ipwho.is, jestjs.io, koajs.com, nextjs.org, orm.drizzle.team, playwright.dev, portal.futurim.org, react.dev, registry.npmjs.org, svelte.dev, tailwindcss.com, typeorm.io, vitest.dev, vuejs.org, www.futurim.org, www.prisma.io, www.typescriptlang.org, zod.dev

Source & flagged code

4 flagged · loading source
dist/index.jsView file
170import { dirname as dirname2, isAbsolute as isAbsolute2, join as join2, relative as relative2, sep as sep2 } from "node:path"; L171: import { exec } from "node:child_process"; L172: import { promisify } from "node:util";
High
Child Process

Package source references child process execution.

dist/index.jsView on unpkg · L170
206/\bgit\s+push\b/i, L207: /\b(curl|wget|irm|iwr)\b[^|]*\|\s*(sh|bash|zsh|iex|powershell)/i, L208: />\s*\/dev\/sd/i
High
Shell

Package source references shell execution.

dist/index.jsView on unpkg · L206
98var DEFAULT_API_URL = "https://api.futurim.org"; L99: function apiBaseUrl() { L100: return process.env.FUTUREX_API_URL ?? process.env.API_URL ?? DEFAULT_API_URL; ... L119: try { L120: return JSON.parse(readFileSync(path, "utf8")); L121: } catch { ... L170: import { dirname as dirname2, isAbsolute as isAbsolute2, join as join2, relative as relative2, sep as sep2 } from "node:path"; L171: import { exec } from "node:child_process"; L172: import { promisify } from "node:util";
High
Remote Agent Bridge

Source exposes local file and command tools to a remote model endpoint.

dist/index.jsView on unpkg · L98
97import { join } from "node:path"; L98: var DEFAULT_API_URL = "https://api.futurim.org"; L99: function apiBaseUrl() { L100: return process.env.FUTUREX_API_URL ?? process.env.API_URL ?? DEFAULT_API_URL; L101: } L102: function futurexHome() { L103: return process.env.FUTUREX_HOME ?? join(homedir(), ".futurex"); L104: } ... L119: try { L120: return JSON.parse(readFileSync(path, "utf8")); L121: } catch { ... L170: import { dirname as dirname2, isAbsolute as isAbsolute2, join as join2, relative as relative2, sep as sep2 } from "node:path";
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/index.jsView on unpkg · L97

Findings

3 High3 Medium7 Low
HighChild Processdist/index.js
HighShelldist/index.js
HighRemote Agent Bridgedist/index.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowWeak Cryptodist/index.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License