A chat response can cause automatic local file writes. Server-controlled document filenames are joined without traversal validation, allowing writes outside the intended documents directory.
Static reason
One or more suspicious static signals were detected.
Trigger
User runs an authenticated chat or one-off request and the service returns an attachment.
Impact
A compromised or malicious service response could overwrite user-writable files with attacker-provided content.
Mechanism
Unsanitized remote attachment filename passed to `writeFileSync`.
Rationale
The package is not demonstrably malicious: its lifecycle hook is informational and its network/file-transfer behavior is aligned with a chat CLI. However, automatic traversal-prone writes from remote response data are a concrete local-file-write vulnerability that warrants a warning.
Evidence
package.jsonbin/postinstall.jssrc/index.jssrc/auth.jssrc/config.jssrc/ui.js~/.quecksilver/config.json~/quecksilver/documents/${att.filename}~/quecksilver/images/image-${Date.now()}${ext}
Network endpoints3
pwdncixmwxedfhtiwpmt.supabase.co/functions/v1/cli-chatpwdncixmwxedfhtiwpmt.supabase.co/rest/v1/profiles?select=is_pro&id=eq.${userId}quecksilver.ch/cli-auth