registry  /  hyperframes  /  0.7.23

hyperframes@0.7.23

HyperFrames CLI — create, preview, and render HTML video compositions

Static Scan Results

scanned 2d ago · by rust-scanner

Static analysis flagged 14 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedObfuscatedTelemetryUrlStrings
Manifest
NoLicense
scanned 16 file(s), 3.44 MB of source, external domains: 127.0.0.1, aomediacodec.github.io, api.heygen.com, api2.heygen.com, cdn.example.com, cdn.jsdelivr.net, evilmartians.com, example.com, fonts.googleapis.com, fonts.gstatic.com, github.com, react.dev, studio.local, us.i.posthog.com, www.w3.org, www.w3ctech.com, www.webmproject.org
Oversized source lightweight scan
dist/cli.js8.66 MB file, sampled 256 KB
FilesystemNetworkChildProcessEnvironmentVarsCryptoShellDynamicRequireHighEntropyStringsUrlStrings127.0.0.1api.heygen.comapi2.heygen.comcdn.example.comexample.com
dist/studio/assets/index-B8XMgbWF.js3.01 MB file, sampled 256 KB
NetworkChildProcessObfuscatedHighEntropyStringsMinifiedTelemetryUrlStringsgithub.comreact.devwww.w3.org

Source & flagged code

3 flagged · loading source
dist/studio/index.jsView file
184fill: "none", L185: xmlns: "http://www.w3.org/2000/svg", L186: "aria-hidden": "true", ... L1209: if (!raw) return {}; L1210: const parsed = JSON.parse(raw); L1211: if (!isRecord2(parsed)) return {}; ... L1455: try { L1456: return import.meta.env.DEV === true; L1457: } catch { ... L1592: headers: { "Content-Type": "application/json" }, L1593: body: JSON.stringify({ api_key: POSTHOG_API_KEY, batch }), L1594: signal: controller.signal
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/studio/index.jsView on unpkg · L184
dist/studio/assets/index-B8XMgbWF.jsView file
path = dist/studio/assets/index-B8XMgbWF.js kind = oversized_source_file sizeBytes = 3158842 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/studio/assets/index-B8XMgbWF.jsView on unpkg
dist/cli.jsView file
path = dist/cli.js kind = oversized_cli_entrypoint sizeBytes = 9078902 magicHex = [redacted]
Medium
Oversized Cli Entrypoint

Package contains an oversized executable-looking CLI entrypoint.

dist/cli.jsView on unpkg

Findings

2 High5 Medium7 Low
HighSandbox Evasion Gated Capabilitydist/studio/index.js
HighOversized Source Filedist/studio/assets/index-B8XMgbWF.js
MediumDynamic Require
MediumNetwork
MediumEnvironment Vars
MediumOversized Cli Entrypointdist/cli.js
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings
LowNo License