registry  /  orbkit  /  0.1.3

orbkit@0.1.3

Local Orbital runtime for CKB smart contract workspaces.

Static Scan Results

scanned 3h ago · by rust-scanner

Static analysis flagged 12 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 29 file(s), 440 KB of source, external domains: 127.0.0.1, eiwifodbwwingurqifjx.supabase.co, example.com, example.invalid, sh.rustup.rs

Source & flagged code

3 flagged · loading source
bin/orbital.jsView file
1#!/usr/bin/env node L2: import { spawn } from 'node:child_process'; L3: import fs from 'node:fs';
High
Child Process

Package source references child process execution.

bin/orbital.jsView on unpkg · L1
mod/common.mjsView file
494} else if (process.platform === 'win32') { L495: proc = spawn('cmd.exe', ['/c', cmd, ...args], { shell: false }); L496: } else {
High
Shell

Package source references shell execution.

mod/common.mjsView on unpkg · L494
mod/setup.jsView file
41const child = spawn( L42: 'cmd.exe', L43: ['/c', 'start', '"offckb-devnet"', '/min', 'npx', '@offckb/cli', 'node'], ... L56: 'bash', L57: ['-lc', 'nohup npx @offckb/cli node >/tmp/offckb-devnet.log 2>&1 < /dev/null &'], L58: {
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

mod/setup.jsView on unpkg · L41

Findings

3 High3 Medium6 Low
HighChild Processbin/orbital.js
HighShellmod/common.mjs
HighRuntime Package Installmod/setup.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License