registry  /  publishport-opencli  /  1.8.5-pp.9

publishport-opencli@1.8.5-pp.9

Make any website or Electron App your CLI. AI-powered.

Static Scan Results

scanned 2d ago · by rust-scanner

Static analysis flagged 23 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 2,132 file(s), 11.5 MB of source, external domains: 127.0.0.1, 36kr.com, a.com, a.example, a9.com, aave.com, account.dianping.com, accounts.douban.com, accounts.google.com, accounts.pixiv.net, accounts.spotify.com, admin.xiaoe-tech.com, ads.example, api.bilibili.com, api.chess.com, api.coingecko.com, api.dictionaryapi.dev, api.example.com, api.fda.gov, api.github.com, api.grok.com, api.juejin.cn, api.llama.fi, api.m.jd.com, api.manus.im, api.npmjs.org, api.nuget.org, api.openalex.org, api.osv.dev, api.platform.com, api.ruguoapp.com, api.semanticscholar.org, api.site.com, api.slock.ai, api.spotify.com, api.stackexchange.com, api.test, api.tvmaze.com, api.xiaoyuzhoufm.com, api.zhihu.com, api.zsxq.com, api2.mubu.com, api2.openreview.net, apiv1.oschina.net, app.cj.sina.com.cn, app.example, app.slock.ai, app.xiaoe-tech.com, appaaa.h5.xet.citv.cn, appxxxx.h5.xet.citv.cn

Source & flagged code

14 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.js || true; node scripts/fetch-adapters.js || true
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.js || true; node scripts/fetch-adapters.js || true
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
clis/douyin/_shared/tos-upload-short-read.test.jsView file
47patternName = aws_access_key severity = critical line = 47 matchedText = access_k...LE',
Critical
Critical Secret

Package contains a critical-looking secret pattern.

clis/douyin/_shared/tos-upload-short-read.test.jsView on unpkg · L47
47patternName = aws_access_key severity = critical line = 47 matchedText = access_k...LE',
Critical
Secret Pattern

AWS access key ID in clis/douyin/_shared/tos-upload-short-read.test.js

clis/douyin/_shared/tos-upload-short-read.test.jsView on unpkg · L47
67patternName = aws_access_key severity = critical line = 67 matchedText = access_k...LE',
Critical
Secret Pattern

AWS access key ID in clis/douyin/_shared/tos-upload-short-read.test.js

clis/douyin/_shared/tos-upload-short-read.test.jsView on unpkg · L67
dist/src/weixin-download.test.jsView file
22const mod = await loadModule(); L23: const extractInPage = eval(mod.buildExtractWechatPublishTimeJs()); L24: expect(extractInPage('', 'var create_time = "1711291080";')).toBe('2024-03-24 22:38:00');
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/src/weixin-download.test.jsView on unpkg · L22
dist/src/discovery.jsView file
181return; L182: await import(pathToFileURL(filePath).href).catch((err) => { L183: log.warn(`Failed to load module ${filePath}: ${getErrorMessage(err)}`);
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/src/discovery.jsView on unpkg · L181
clis/douban/utils.test.jsView file
109location: { L110: href: 'https://search.douban.com/movie/subject_search?search_text=%E5%B0%84%E9%9B%95%E8%8B%B1%E9%9B%84%E4%BC%A0', L111: origin: 'https://search.douban.com', ... L134: it('rejects non-http photo urls during promotion', () => { L135: expect(promoteDoubanPhotoUrl('data:image/gif;base64,abc')).toBe(''); L136: }); ... L449: // eslint-disable-next-line no-new-func L450: return new Function(`return (${fn.toString()})`)(); L451: }
Medium
Unsafe Vm Context

Package source executes code through a VM context API.

clis/douban/utils.test.jsView on unpkg · L109
clis/flomo/memos.jsView file
76params.sign = createHash('md5').update(signBase + '[redacted]').digest('hex'); L77: return 'https://flomoapp.com/api/v1/memo/updated/?' + new URLSearchParams(params).toString(); L78: } ... L85: if (!raw) return null; L86: const me = JSON.parse(raw); L87: const token = me?.access_token || me?.data?.access_token || '';
Low
Weak Crypto

Package source references weak cryptographic algorithms.

clis/flomo/memos.jsView on unpkg · L76
scripts/postinstall.jsView file
7* standard completion directory. For zsh and bash, the script prints manual L8: * instructions instead of modifying rc files (~/.zshrc, ~/.bashrc) — this L9: * avoids breaking multi-line shell commands and other fragile rc structures. ... L60: function detectShell() { L61: const shell = process.env.SHELL || ''; L62: if (shell.includes('zsh')) return 'zsh'; ... L77: // Skip in CI environments L78: if (process.env.CI || process.env.CONTINUOUS_INTEGRATION) { L79: return; ... L93: L94: const home = homedir(); L95:
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

scripts/postinstall.jsView on unpkg · L7
scripts/check-doc-coverage.shView file
path = scripts/check-doc-coverage.sh kind = build_helper sizeBytes = 2256 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

scripts/check-doc-coverage.shView on unpkg
dist/src/observation/redaction.test.jsView file
28patternName = generic_password severity = medium line = 28 matchedText = password...D]',
Medium
Secret Pattern

Hardcoded password in dist/src/observation/redaction.test.js

dist/src/observation/redaction.test.jsView on unpkg · L28
clis/douyin/_shared/tos-upload.test.jsView file
149patternName = aws_access_key severity = critical line = 149 matchedText = access_k...LE',
Critical
Secret Pattern

AWS access key ID in clis/douyin/_shared/tos-upload.test.js

clis/douyin/_shared/tos-upload.test.jsView on unpkg · L149
166patternName = aws_access_key severity = critical line = 166 matchedText = expect(h...t');
Critical
Secret Pattern

AWS access key ID in clis/douyin/_shared/tos-upload.test.js

clis/douyin/_shared/tos-upload.test.jsView on unpkg · L166

Findings

5 Critical1 High9 Medium8 Low
CriticalCritical Secretclis/douyin/_shared/tos-upload-short-read.test.js
CriticalSecret Patternclis/douyin/_shared/tos-upload-short-read.test.js
CriticalSecret Patternclis/douyin/_shared/tos-upload-short-read.test.js
CriticalSecret Patternclis/douyin/_shared/tos-upload.test.js
CriticalSecret Patternclis/douyin/_shared/tos-upload.test.js
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requiredist/src/discovery.js
MediumUnsafe Vm Contextclis/douban/utils.test.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencescripts/postinstall.js
MediumShips Build Helperscripts/check-doc-coverage.sh
MediumStructural Risk Force Deep Review
MediumSecret Patterndist/src/observation/redaction.test.js
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvaldist/src/weixin-download.test.js
LowWeak Cryptoclis/flomo/memos.js
LowFilesystem
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings