registry  /  insta  /  0.0.6

insta@0.0.6

InstaCloud CLI — a thin client of the platform control-plane API.

Static Scan Results

scanned 4h ago · by rust-scanner

Static analysis flagged 13 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 24 file(s), 88.0 KB of source, external domains: 127.0.0.1, beta-api.insta.insforge.dev, fly.io, raw.githubusercontent.com, registry.npmjs.org

Source & flagged code

4 flagged · loading source
dist/util.jsView file
2import { createInterface } from 'node:readline'; L3: import { spawn } from 'node:child_process'; L4: // Best-effort: open a URL in the user's default browser. Returns false if we couldn't launch.
High
Child Process

Package source references child process execution.

dist/util.jsView on unpkg · L2
dist/commands/upgrade.jsView file
6// leaving just the stderr nudge. L7: import { spawn } from 'node:child_process'; L8: import { dirname, join } from 'node:path'; ... L12: import { info } from '../util.js'; L13: const INSTALL_SH = 'https://raw.githubusercontent.com/InsForge/insta-cli/main/install.sh'; L14: const REGISTRY_LATEST = 'https://registry.npmjs.org/insta/latest'; ... L16: const AUTO_THROTTLE_MS = 60 * 60 * 1000; // don't respawn a failed auto-upgrade more than hourly L17: const cachePath = () => process.env.INSTA_UPDATE_CACHE ?? join(homedir(), '.insta', 'update-check.json'); L18: // How is this CLI running? Bun standalone → execPath IS the insta binary (not node);
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/commands/upgrade.jsView on unpkg · L6
matchType = previous_version_dangerous_delta matchedPackage = insta@0.0.5 matchedIdentity = npm:aW5zdGE:0.0.5 similarity = 0.826 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/commands/upgrade.jsView on unpkg
dist/flyctl-build.jsView file
3// Shells out to `flyctl deploy --build-only --push` (remote builder). Ported from firth. L4: import { spawn } from 'node:child_process'; L5: import { existsSync, writeFileSync, unlinkSync } from 'node:fs'; ... L12: let output = ''; L13: child.stdout?.on('data', (b) => { const s = b.toString(); output += s; process.stdout.write(s); }); L14: child.stderr?.on('data', (b) => { const s = b.toString(); output += s; process.stderr.write(s); }); ... L46: try { L47: const { code, output } = await run('flyctl', ['deploy', '--remote-only', '--build-only', '--push', '--app', opts.flyApp, '--image-label', opts.imageLabel, '--no-cache'], { cwd: opt... L48: if (code !== 0) ... L69: return; L70: if (process.platform === 'darwin' && (await ok('brew', ['--version']))) { L71: info('flyctl not found — installing with `brew install flyctl` (one-time)…');
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/flyctl-build.jsView on unpkg · L3

Findings

5 High3 Medium5 Low
HighChild Processdist/util.js
HighShell
HighSame File Env Network Executiondist/commands/upgrade.js
HighSandbox Evasion Gated Capabilitydist/flyctl-build.js
HighPrevious Version Dangerous Deltadist/commands/upgrade.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings