registry  /  langcli-com  /  0.1.40

langcli-com@0.1.40

⚠ Under review

Langcli - interactive AI coding assistant in the terminal

Static Scan Results

scanned 8d ago · by rust-scanner

Static analysis flagged 13 finding(s) at 86.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 1 file(s), 258 KB of source, external domains: 127.0.0.1
Oversized source lightweight scan
dist/cli.js26.5 MB file, sampled 256 KB
FilesystemChildProcessEnvironmentVarsCryptoShellHighEntropyStringsUrlStrings127.0.0.1

Source & flagged code

5 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/setup-chrome-mcp.mjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts/setup-chrome-mcp.mjsView file
10Install-time AI-agent control hijack evidence: L11: import { execFileSync } from 'node:child_process' L12: import { mkdirSync } from 'node:fs' L13: import { createRequire } from 'node:module' ... L16: L17: if (process.env.CLAUDE_CODE_SKIP_CHROME_MCP_SETUP === '1') { L18: process.exit(0) ... L57: L58: mkdirSync(getChromeMcpLogDir(), { recursive: true }) L59: Payload evidence from scripts/setup-chrome-mcp.mjs: L10: L11: import { execFileSync } from 'node:child_process' L12: import { mkdirSync } from 'node:fs' ... L16: L17: if (process.env.CLAUDE_CODE_SKIP_CHROME_MCP_SETUP === '1') { L18: process.exit(0) ... L28: function getChromeMcpLogDir() { L29: const home = homedir() L30: if (process.platform === 'darwin') { L31: return join(home, 'Library', 'Logs', 'mcp-chrome-bridge')
Critical
Ai Agent Control Hijack

Install-time source drops package-supplied AI-agent/MCP control files or instructions.

scripts/setup-chrome-mcp.mjsView on unpkg · L10
dist/vendor/audio-capture/x64-darwin/audio-capture.nodeView file
path = dist/vendor/audio-capture/x64-darwin/audio-capture.node kind = native_binary sizeBytes = 439076 magicHex = [redacted]
Medium
Ships Native Binary

Package ships native binary artifacts.

dist/vendor/audio-capture/x64-darwin/audio-capture.nodeView on unpkg
dist/cli.jsView file
path = dist/cli.js kind = oversized_source_file sizeBytes = 27788048 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/cli.jsView on unpkg
path = dist/cli.js kind = oversized_cli_entrypoint sizeBytes = 27788048 magicHex = [redacted]
Medium
Oversized Cli Entrypoint

Package contains an oversized executable-looking CLI entrypoint.

dist/cli.jsView on unpkg

Findings

1 Critical2 High4 Medium6 Low
CriticalAi Agent Control Hijackscripts/setup-chrome-mcp.mjs
HighInstall Time Lifecycle Scriptspackage.json
HighOversized Source Filedist/cli.js
MediumEnvironment Vars
MediumShips Native Binarydist/vendor/audio-capture/x64-darwin/audio-capture.node
MediumOversized Cli Entrypointdist/cli.js
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License