registry  /  nanoai-cli  /  1.1.4

nanoai-cli@1.1.4

Terminal UI, ACP server, and automation-friendly CLI for NanoAgent.

Static Scan Results

scanned 1h ago · by rust-scanner

Static analysis flagged 11 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 6 file(s), 19.9 KB of source, external domains: api.github.com, github.com, us.i.posthog.com

Source & flagged code

4 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
bin/nanoai.jsView file
3L4: const { spawn } = require("child_process"); L5:
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/nanoai.jsView on unpkg · L3
scripts/telemetry.jsView file
14// in-product analytics land in the same PostHog project. L15: const TELEMETRY_HOST = "https://us.i.posthog.com"; L16: const TELEMETRY_PROJECT_TOKEN = "phc_AKZFSyU239kkQ5GQ2y4idb8MtFX96kVekgezgnsELHRk"; ... L25: function telemetryEnabled() { L26: if (isTruthy(process.env.NANOAGENT_TELEMETRY_DISABLED) || isTruthy(process.env.DO_NOT_TRACK)) { L27: return false; ... L32: // Identify the package manager that triggered the install. npm/pnpm/yarn set L33: // npm[redacted] during their lifecycle; bun is detected from the runtime L34: // when the binary is fetched lazily on first launch. ... L106: headers: { "Content-Type": "application/json" }, L107: body: JSON.stringify(payload), L108: signal,
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

scripts/telemetry.jsView on unpkg · L14

Findings

2 High5 Medium4 Low
HighInstall Time Lifecycle Scriptspackage.json
HighSandbox Evasion Gated Capabilityscripts/telemetry.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requirebin/nanoai.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings