registry  /  notecraftapp  /  0.1.1

notecraftapp@0.1.1

⚠ Under review

由 AI 生成視覺化與動態互動元件、嵌入筆記的個人筆記 Web App。用 npx 一行指令在任何 md/mdx 資料夾啟動漂亮 UI。

Static Scan Results

scanned 1h ago · by rust-scanner

Static analysis flagged 13 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 34 file(s), 219 KB of source, external domains: 127.0.0.1

Source & flagged code

5 flagged · loading source
bin/notecraftapp.mjsView file
matchType = previous_version_dangerous_delta matchedPackage = notecraftapp@0.1.0 matchedIdentity = npm:bm90ZWNyYWZ0YXBw:0.1.0 similarity = 0.941 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

bin/notecraftapp.mjsView on unpkg
9import { defineCommand, runMain } from "citty"; L10: import { spawn, spawnSync } from "node:child_process"; L11: import { createServer } from "node:http";
High
Child Process

Package source references child process execution.

bin/notecraftapp.mjsView on unpkg · L9
65console.log(`[notecraftapp] 安裝相依(npm install)…`); L66: const install = spawnSync("npm", ["install", "--omit=dev", "--no-audit", "--no-fund"], { L67: cwd: stableAppRoot, ... L70: if (install.status !== 0) { L71: console.error("[notecraftapp] npm install 失敗"); L72: process.exit(install.status ?? 1);
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

bin/notecraftapp.mjsView on unpkg · L65
9import { defineCommand, runMain } from "citty"; L10: import { spawn, spawnSync } from "node:child_process"; L11: import { createServer } from "node:http"; L12: import { promises as fs, existsSync, readFileSync, statSync } from "node:fs"; ... L20: const packageRoot = path.resolve(path.dirname(__filename), ".."); L21: const pkgJson = JSON.parse(readFileSync(path.join(packageRoot, "package.json"), "utf-8")); L22: ... L32: L33: const stableAppRoot = path.join(os.homedir(), ".notecraft", `app-${pkgJson.version}`); L34: L35: function isDevSource() { L36: if (process.env.NOTECRAFTAPP_DEV === "1") return true;
Low
Weak Crypto

Package source references weak cryptographic algorithms.

bin/notecraftapp.mjsView on unpkg · L9
src/components/islands/PagefindSearch.tsxView file
29const url = "/pagefind/" + "pagefind.js"; L30: const mod = await import(/* @vite-ignore */ url); L31: if (cancelled) return;
Medium
Dynamic Require

Package source references dynamic require/import behavior.

src/components/islands/PagefindSearch.tsxView on unpkg · L29

Findings

1 Critical3 High4 Medium5 Low
CriticalPrevious Version Dangerous Deltabin/notecraftapp.mjs
HighChild Processbin/notecraftapp.mjs
HighShell
HighRuntime Package Installbin/notecraftapp.mjs
MediumDynamic Requiresrc/components/islands/PagefindSearch.tsx
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowWeak Cryptobin/notecraftapp.mjs
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings