registry  /  pendpost  /  1.2.0

pendpost@1.2.0

pendpost is a free, open-source (MIT), local-first social media planner where an AI agent drafts and schedules posts across Instagram, Facebook, LinkedIn, YouTube, and X behind a human approval gate you control.

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 13 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 53 file(s), 1.68 MB of source, external domains: 127.0.0.1, accounts.google.com, api.linkedin.com, api.pinterest.com, api.telegram.org, api.twitter.com, balanced-giraffe-97.accounts.dev, console.cloud.google.com, developer.x.com, developers.facebook.com, developers.pinterest.com, developers.tiktok.com, discord.com, example.invalid, graph-video.facebook.com, graph.facebook.com, oauth.reddit.com, oauth2.googleapis.com, open.tiktokapis.com, pendpost-cloud-api.fly.dev, react.dev, redd.it, rupload.facebook.com, studio.youtube.com, support.discord.com, t.me, twitter.com, upload.twitter.com, www.facebook.com, www.googleapis.com, www.instagram.com, www.linkedin.com, www.pinterest.com, www.reddit.com, www.tiktok.com, www.w3.org, www.youtube.com, x.com, youtu.be

Source & flagged code

5 flagged · loading source
bin/pendpost.mjsView file
5// draft -> approve -> schedule -> publish -> insights loop with zero setup. L6: import { spawnSync } from 'node:child_process'; L7: import fs from 'node:fs';
High
Child Process

Package source references child process execution.

bin/pendpost.mjsView on unpkg · L5
1#!/usr/bin/env node L2: // bin/pendpost.mjs - the `pendpost` / `npx pendpost` entry point. Builds the L3: // dashboard on first run if it is not present, then boots the server. With no ... L5: // draft -> approve -> schedule -> publish -> insights loop with zero setup. L6: import { spawnSync } from 'node:child_process'; L7: import fs from 'node:fs';
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

bin/pendpost.mjsView on unpkg · L1
113// Boot the server in THIS process (server.mjs runs server.listen() at module load). L114: await import(pathToFileURL(path.join(INSTALL_ROOT, 'server.mjs')).href); L115:
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/pendpost.mjsView on unpkg · L113
lib/x-oauth1.mjsView file
17export function pctEncode(str) { L18: return encodeURIComponent(String(str)).replace(/[!*'()]/g, (c) => `%${c.charCodeAt(0).toString(16).toUpperCase()}`); L19: }
Low
Weak Crypto

Package source references weak cryptographic algorithms.

lib/x-oauth1.mjsView on unpkg · L17
app/dist/assets/inter-latin-variable-Dx4kXJAl.woff2View file
path = app/dist/assets/inter-latin-variable-Dx4kXJAl.woff2 kind = high_entropy_blob sizeBytes = 48256 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

app/dist/assets/inter-latin-variable-Dx4kXJAl.woff2View on unpkg

Findings

4 High4 Medium5 Low
HighChild Processbin/pendpost.mjs
HighShell
HighRuntime Package Installbin/pendpost.mjs
HighShips High Entropy Blobapp/dist/assets/inter-latin-variable-Dx4kXJAl.woff2
MediumDynamic Requirebin/pendpost.mjs
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowWeak Cryptolib/x-oauth1.mjs
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings