registry  /  mobai-lv-build-runner  /  0.0.1-alpha.27

mobai-lv-build-runner@0.0.1-alpha.27

Internal Lunaverse build runner

Static Scan Results

scanned 3h ago · by rust-scanner

Static analysis flagged 26 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 585 file(s), 12.3 MB of source, external domains: developer.imaginationtech.com, docs.cocos.com, download.cocos.com, forum.cocos.org, gitee.com, github.com, imagemagick.org, json.schemastore.org, people.mozilla.org, rbuckton.github.io, repo.harmonyos.com, tc39.github.io, www.apache.org

Source & flagged code

18 flagged · loading source
package.jsonView file
scripts.postinstall = node workflow/postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
Runtime dependency names matching Node built-ins: readline
High
Node Builtin Dependency Squat

Package declares a runtime dependency whose name matches a Node built-in module.

package.jsonView on unpkg
scripts.postinstall = node workflow/postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
dist/core/builder/platforms/android/i18n/en.jsView file
32patternName = generic_password severity = medium line = 32 matchedText = confirm_...rd',
Medium
Secret Pattern

Package contains a possible secret pattern.

dist/core/builder/platforms/android/i18n/en.jsView on unpkg · L32
34patternName = generic_password severity = medium line = 34 matchedText = keystore...rd',
Medium
Secret Pattern

Hardcoded password in dist/core/builder/platforms/android/i18n/en.js

dist/core/builder/platforms/android/i18n/en.jsView on unpkg · L34
37patternName = generic_password severity = medium line = 37 matchedText = keystore...rd',
Medium
Secret Pattern

Hardcoded password in dist/core/builder/platforms/android/i18n/en.js

dist/core/builder/platforms/android/i18n/en.jsView on unpkg · L37
dist/core/scripting/compile-process.jsView file
4const path_1 = require("path"); L5: const child_process_1 = require("child_process"); L6: /**
High
Child Process

Package source references child process execution.

dist/core/scripting/compile-process.jsView on unpkg · L4
workflow/generate-dts.tsView file
14L15: const execAsync = promisify(exec);// Dynamically build the real PlatformType union from @cocos/ccbuild enums. L16: // This is needed because api-extractor incorrectly resolves
High
Shell

Package source references shell execution.

workflow/generate-dts.tsView on unpkg · L14
dist/core/builder/worker/builder/asset-handler/texture-compress/compress-tool.jsView file
326function patchCommand(command, options) { L327: return new Function('options', 'with(options){ return String.raw`' + command + '`}')(options); L328: }
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/core/builder/worker/builder/asset-handler/texture-compress/compress-tool.jsView on unpkg · L326
dist/core/configuration/index.jsView file
17exports.getCocosConfigNodes = exports.configurationManager = exports.configurationRegistry = void 0; L18: const registry_1 = require("./script/registry"); L19: Object.defineProperty(exports, "configurationRegistry", { enumerable: true, get: function () { return registry_1.configurationRegistry; } });
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/core/configuration/index.jsView on unpkg · L17
dist/core/builder/worker/builder/utils/index.jsView file
65const path_1 = require("path"); L66: const child_process_1 = require("child_process"); L67: const fs_1 = require("fs"); ... L184: (0, child_process_1.exec)('node -v', { L185: env: process.env, L186: }, (error) => { ... L447: } L448: //# sourceMappingURL=data:application/json;base64,[redacted]...
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/core/builder/worker/builder/utils/index.jsView on unpkg · L65
workflow/electron-rebuild.jsView file
13console.log(`\n> ${cmd}`); L14: execSync(cmd, { stdio: 'inherit' }); L15: } ... L17: try { L18: run('npx --yes patch-package'); L19: run(`npx @electron/rebuild --force --version ${electronVersion}`);
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

workflow/electron-rebuild.jsView on unpkg · L13
packages/engine-cache/dev-cli-runtime-cache.tgzView file
path = packages/engine-cache/dev-cli-runtime-cache.tgz kind = high_entropy_blob sizeBytes = 14782689 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

packages/engine-cache/dev-cli-runtime-cache.tgzView on unpkg
path = packages/engine-cache/dev-cli-runtime-cache.tgz kind = compressed_blob sizeBytes = 14782689 magicHex = [redacted]
Medium
Ships Compressed Blob

Package ships compressed or archive-like blobs.

packages/engine-cache/dev-cli-runtime-cache.tgzView on unpkg
path = packages/engine-cache/dev-cli-runtime-cache.tgz kind = nested_archive_needs_inspection sizeBytes = 14782689 magicHex = [redacted]
Low
Nested Archive Needs Inspection

Package ships a nested archive or MCP bundle that was inventoried but not recursively analyzed.

packages/engine-cache/dev-cli-runtime-cache.tgzView on unpkg
dist/core/builder/platforms/google-play/i18n/en.jsView file
28patternName = generic_password severity = medium line = 28 matchedText = confirm_...rd',
Medium
Secret Pattern

Hardcoded password in dist/core/builder/platforms/google-play/i18n/en.js

dist/core/builder/platforms/google-play/i18n/en.jsView on unpkg · L28
30patternName = generic_password severity = medium line = 30 matchedText = keystore...rd',
Medium
Secret Pattern

Hardcoded password in dist/core/builder/platforms/google-play/i18n/en.js

dist/core/builder/platforms/google-play/i18n/en.jsView on unpkg · L30
33patternName = generic_password severity = medium line = 33 matchedText = keystore...rd',
Medium
Secret Pattern

Hardcoded password in dist/core/builder/platforms/google-play/i18n/en.js

dist/core/builder/platforms/google-play/i18n/en.jsView on unpkg · L33

Findings

6 High12 Medium8 Low
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processdist/core/scripting/compile-process.js
HighShellworkflow/generate-dts.ts
HighRuntime Package Installworkflow/electron-rebuild.js
HighShips High Entropy Blobpackages/engine-cache/dev-cli-runtime-cache.tgz
HighNode Builtin Dependency Squatpackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumSecret Patterndist/core/builder/platforms/android/i18n/en.js
MediumDynamic Requiredist/core/configuration/index.js
MediumNetwork
MediumEnvironment Vars
MediumShips Compressed Blobpackages/engine-cache/dev-cli-runtime-cache.tgz
MediumStructural Risk Force Deep Review
MediumSecret Patterndist/core/builder/platforms/android/i18n/en.js
MediumSecret Patterndist/core/builder/platforms/android/i18n/en.js
MediumSecret Patterndist/core/builder/platforms/google-play/i18n/en.js
MediumSecret Patterndist/core/builder/platforms/google-play/i18n/en.js
MediumSecret Patterndist/core/builder/platforms/google-play/i18n/en.js
LowScripts Present
LowEvaldist/core/builder/worker/builder/asset-handler/texture-compress/compress-tool.js
LowWeak Cryptodist/core/builder/worker/builder/utils/index.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings
LowNested Archive Needs Inspectionpackages/engine-cache/dev-cli-runtime-cache.tgz