registry  /  pocketstack-cli  /  0.3.0

pocketstack-cli@0.3.0

Command-line interface for PocketStack — manage your fleet from the terminal.

Static Scan Results

scanned 1h ago · by rust-scanner

Static analysis flagged 13 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 39.6 KB of source, external domains: 127.0.0.1, app.pocketstack.host, github.com, raw.githubusercontent.com, registry.npmjs.org

Source & flagged code

4 flagged · loading source
dist/index.jsView file
204// src/lib/updater.ts L205: import { spawnSync } from "child_process"; L206: import { mkdir as mkdir2, readFile as readFile2, writeFile as writeFile2 } from "fs/promises";
High
Child Process

Package source references child process execution.

dist/index.jsView on unpkg · L204
271throw new CliError( L272: `Automatic upgrade isn't supported for the Windows binary yet. Download the latest release from https://github.com/${REPO}/releases/latest` L273: ); ... L275: const command = `curl -fsSL https://raw.githubusercontent.com/${REPO}/main/scripts/install.sh | sh`; L276: const result = spawnSync("sh", ["-c", command], { L277: stdio: "inherit", L278: env: { ...process.env, POCKETSTACK_VERSION: latest } L279: });
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/index.jsView on unpkg · L271
5L6: // package.json L7: var package_default = { ... L19: author: "Rafael Vieira (@rafaelvieiras)", L20: homepage: "https://github.com/rafaelvieiras/pocketstack-cli#readme", L21: repository: { ... L98: const raw = await readFile(CREDENTIALS_PATH, "utf8"); L99: const parsed = JSON.parse(raw); L100: return { version: 1, default: parsed.default, accounts: parsed.accounts ?? {} }; ... L140: const opts = command.optsWithGlobals(); L141: const host = opts.host ?? process.env.POCKETSTACK_HOST ?? DEFAULT_HOST; L142: return {
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/index.jsView on unpkg · L5
scripts/install.shView file
path = scripts/install.sh kind = build_helper sizeBytes = 3817 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

scripts/install.shView on unpkg

Findings

4 High4 Medium5 Low
HighChild Processdist/index.js
HighShell
HighSame File Env Network Executiondist/index.js
HighSandbox Evasion Gated Capabilitydist/index.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperscripts/install.sh
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings