registry  /  replicas-cli  /  0.2.313

replicas-cli@0.2.313

CLI for managing Replicas workspaces - SSH into cloud dev environments with automatic port forwarding

Static Scan Results

scanned 4d ago · by rust-scanner

Static analysis flagged 16 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
WildcardDependency
scanned 21 file(s), 1.43 MB of source, external domains: 127.0.0.1, 169.254.169.254, 169.254.170.2, a.co, api.tryreplicas.com, auth.openai.com, aws.amazon.com, claude.ai, console.anthropic.com, developers.google.com, developers.linear.app, docs.aws.amazon.com, docs.google.com, docs.replicas.dev, docs.slack.dev, docs.tryreplicas.com, example.com, github.com, gitlab.com, linear.app, news.ycombinator.com, portal.sso, portal.sso-fips, react-native.canny.io, replicas.dev, signin-fips.amazonaws-us-gov.com, slack.com, sts.amazonaws.com, team.slack.com, tryreplicas.com, www.w3.org

Source & flagged code

6 flagged · loading source
dist/index.mjsView file
7456patternName = supabase_service_key severity = critical line = 7456 matchedText = var supa...tM";
Critical
Critical Secret

Package contains a critical-looking secret pattern.

dist/index.mjsView on unpkg · L7456
7456patternName = supabase_service_key severity = critical line = 7456 matchedText = var supa...tM";
Critical
Secret Pattern

Supabase service role key (JWT) in dist/index.mjs

dist/index.mjsView on unpkg · L7456
14341const query = qs.toString() ? `?${qs.toString()}` : ""; L14342: const { media } = await agentFetch(`/v1/engine/media${query}`); L14343: for (const m of media) { ... L14348: // src/commands/computer.ts L14349: import { spawn as spawn3, spawnSync } from "child_process"; L14350: import { closeSync, existsSync, mkdirSync, openSync, readFileSync, readSync, rmSync, writeFileSync } from "fs"; ... L14352: import chalk20 from "chalk"; L14353: var STATE_DIR = process.env.REPLICAS_DESKTOP_STATE_DIR || "/tmp/replicas-computer"; L14354: var DEFAULT_DISPLAY = process.env.REPLICAS_DESKTOP_DISPLAY || ":99";
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/index.mjsView on unpkg · L14341
dist/dist-es-XUNSYJ43.mjsView file
14// ../node_modules/.bun/@aws-sdk+credential-provider-process@3.972.48/node_modules/@aws-sdk/credential-provider-process/dist-es/resolveProcessCredentials.js L15: import { exec } from "child_process"; L16: import { promisify } from "util";
High
Child Process

Package source references child process execution.

dist/dist-es-XUNSYJ43.mjsView on unpkg · L14
dist/chunk-NVNLENJ4.mjsView file
9dateToUtcString, L10: fromBase64, L11: fromUtf8, ... L337: var DEFAULT_PROFILE = "default"; L338: var getProfileName = (init) => init.profile || process.env[ENV_PROFILE] || DEFAULT_PROFILE; L339: ... L362: if (!homeDirCache[homeDirCacheKey]) L363: homeDirCache[homeDirCacheKey] = homedir(); L364: return homeDirCache[homeDirCacheKey]; ... L686: if (region === "*") { L687: console.warn(`@smithy/config-resolver WARN - Please use the caller region instead of "*". See "sigv4a" in https://github.com/aws/aws-sdk-js-v3/blob/main/supplemental-docs/CLIENTS.m... L688: } else {
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/chunk-NVNLENJ4.mjsView on unpkg · L9
dist/dist-es-UXGKQHMI.mjsView file
72if (response.statusCode === 200) { L73: const parsed = JSON.parse(str); L74: if (typeof parsed.AccessKeyId !== "string" || typeof parsed.SecretAccessKey !== "string" || typeof parsed.Token !== "string" || typeof parsed.Expiration !== "string") { ... L113: var AWS_CONTAINER_CREDENTIALS_RELATIVE_URI = "AWS_CONTAINER_CREDENTIALS_RELATIVE_URI"; L114: var DEFAULT_LINK_LOCAL_HOST = "http://169.254.170.2"; L115: var AWS_CONTAINER_CREDENTIALS_FULL_URI = "AWS_CONTAINER_CREDENTIALS_FULL_URI"; ... L120: let host; L121: const relative = options.[redacted] ?? process.env[AWS_CONTAINER_CREDENTIALS_RELATIVE_URI]; L122: const full = options.awsContainerCredentialsFullUri ?? process.env[AWS_CONTAINER_CREDENTIALS_FULL_URI];
High
Cloud Metadata Access

Source reaches cloud instance metadata or link-local credential endpoints.

dist/dist-es-UXGKQHMI.mjsView on unpkg · L72

Findings

2 Critical4 High4 Medium6 Low
CriticalCritical Secretdist/index.mjs
CriticalSecret Patterndist/index.mjs
HighChild Processdist/dist-es-XUNSYJ43.mjs
HighShell
HighSame File Env Network Executiondist/index.mjs
HighCloud Metadata Accessdist/dist-es-UXGKQHMI.mjs
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
MediumWildcard Dependency
LowNon Install Lifecycle Scripts
LowScripts Present
LowWeak Cryptodist/chunk-NVNLENJ4.mjs
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings