registry  /  metascope  /  0.8.4

metascope@0.8.4

A CLI tool and TypeScript library to easily extract metadata from all kinds of software repositories.

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 15 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 69 file(s), 767 KB of source, external domains: api.npmjs.org, bitbucket.org, github.com, gitlab.com, npm.pkg.github.com, obsidian.md, proxy.golang.org, pypi.org, pypistats.org, raw.githubusercontent.com, registry.npmjs.org, spdx.org, w3id.org, www.npmjs.com
Oversized source lightweight scan
dist/bin/cli.js6.64 MB file, sampled 256 KB
FilesystemChildProcessEnvironmentVarsCryptoDynamicRequireObfuscatedHighEntropyStringsMinifiedUrlStringsgithub.comspdx.orgw3id.org

Source & flagged code

6 flagged · loading source
dist/bin/shared-Dix5HPlG.jsView file
4`;case`r`:return`\r`;case`t`:return` `;case`u`:case`U`:return String.fromCodePoint(Number.parseInt(t.slice(1),16));default:return t}})}const A=/^v?(\d+)\.(\d+)\.(\d+)(?:-([a-zA-Z0-... L5: `);if(n===-1)return null;let r=t.substring(0,n),i=t.substring(n+1);return r&&i?{etag:r,body:i}:null}catch{return null}}const Qe=new Set;let $e=0;function et(e,t,n){let r=(async()=>... L6: `;)n++;continue}if(a===`/`&&n+1<r&&e[n+1]===`*`){for(n+=2;n<r&&(e[n]!==`*`||e[n+1]!==`/`);)n++;n+=2;continue}if(a===`,`){i=t.length,t+=a,n++;continue}if(a===`}`||a===`]`){i>=0&&(t=...
High
Child Process

Package source references child process execution.

dist/bin/shared-Dix5HPlG.jsView on unpkg · L4
1import{accessSync as e,globSync as t,lstatSync as n,readFileSync as r,readdirSync as i,statSync as a,truncateSync as o,writeFileSync as s}from"node:fs";import{basename as c,dirname... L2: `:``)+r[n].slice(0,e);break}t+=(t?` ... L4: `;case`r`:return`\r`;case`t`:return` `;case`u`:case`U`:return String.fromCodePoint(Number.parseInt(t.slice(1),16));default:return t}})}const A=/^v?(\d+)\.(\d+)\.(\d+)(?:-([a-zA-Z0-... L5: `);if(n===-1)return null;let r=t.substring(0,n),i=t.substring(n+1);return r&&i?{etag:r,body:i}:null}catch{return null}}const Qe=new Set;let $e=0;function et(e,t,n){let r=(async()=>... L6: `;)n++;continue}if(a===`/`&&n+1<r&&e[n+1]===`*`){for(n+=2;n<r&&(e[n]!==`*`||e[n+1]!==`/`);)n++;n+=2;continue}if(a===`,`){i=t.length,t+=a,n++;continue}if(a===`}`||a===`]`){i>=0&&(t=...
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/bin/shared-Dix5HPlG.jsView on unpkg · L1
4`;case`r`:return`\r`;case`t`:return` `;case`u`:case`U`:return String.fromCodePoint(Number.parseInt(t.slice(1),16));default:return t}})}const A=/^v?(\d+)\.(\d+)\.(\d+)(?:-([a-zA-Z0-... L5: `);if(n===-1)return null;let r=t.substring(0,n),i=t.substring(n+1);return r&&i?{etag:r,body:i}:null}catch{return null}}const Qe=new Set;let $e=0;function et(e,t,n){let r=(async()=>... L6: `;)n++;continue}if(a===`/`&&n+1<r&&e[n+1]===`*`){for(n+=2;n<r&&(e[n]!==`*`||e[n+1]!==`/`);)n++;n+=2;continue}if(a===`,`){i=t.length,t+=a,n++;continue}if(a===`}`||a===`]`){i>=0&&(t=...
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/bin/shared-Dix5HPlG.jsView on unpkg · L4
dist/bin/web-tree-sitter.wasmView file
path = dist/bin/web-tree-sitter.wasm kind = wasm_module sizeBytes = 200452 magicHex = [redacted]
Medium
Ships Wasm Module

Package ships WebAssembly modules.

dist/bin/web-tree-sitter.wasmView on unpkg
dist/bin/cli.jsView file
path = dist/bin/cli.js kind = oversized_source_file sizeBytes = 6964751 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/bin/cli.jsView on unpkg
path = dist/bin/cli.js kind = oversized_cli_entrypoint sizeBytes = 6964751 magicHex = [redacted]
Medium
Oversized Cli Entrypoint

Package contains an oversized executable-looking CLI entrypoint.

dist/bin/cli.jsView on unpkg

Findings

4 High6 Medium5 Low
HighChild Processdist/bin/shared-Dix5HPlG.js
HighShell
HighCommand Output Exfiltrationdist/bin/shared-Dix5HPlG.js
HighOversized Source Filedist/bin/cli.js
MediumDynamic Requiredist/bin/shared-Dix5HPlG.js
MediumNetwork
MediumEnvironment Vars
MediumShips Wasm Moduledist/bin/web-tree-sitter.wasm
MediumOversized Cli Entrypointdist/bin/cli.js
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings