registry  /  shellular  /  0.0.45

shellular@0.0.45

⚠ Under review

Shellular CLI — host your dev environment for remote access from your phone.

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 13 finding(s) at 86.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
Manifest
CopyleftLicense
scanned 2 file(s), 665 KB of source, external domains: app.shellular.dev, chatgpt.com, claude.ai, cursor.com, gh.io, opencode.ai, raw.githubusercontent.com, registry.npmjs.org, x.ai

Source & flagged code

5 flagged · loading source
dist/main.jsView file
26L27: // package.json L28: var package_default = { ... L37: prepublishOnly: "pnpm run build", L38: "ci:publish": "pnpm publish --access public", L39: "try-run": "pnpm run build && node dist/main.js" ... L133: // src/utils.ts L134: import { execFile, spawnSync } from "child_process"; L135: import fs from "fs"; ... L155: } L156: const shell2 = process2.env.SHELL || "/bin/sh"; L157: const result = spawnSync(shell2, ["-lc", `which ${command}`], {
Critical
Remote Asset Decode Execute

Source fetches a remote non-code asset, decodes its contents, and dynamically executes the decoded payload.

dist/main.jsView on unpkg · L26
Trigger-reachable chain: manifest.main -> dist/main.js Reachable file contains a blocking source-risk pattern.
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/main.jsView on unpkg
133// src/utils.ts L134: import { execFile, spawnSync } from "child_process"; L135: import fs from "fs";
High
Child Process

Package source references child process execution.

dist/main.jsView on unpkg · L133
433}, L434: PowerShell: { L435: os: ["windows"],
High
Shell

Package source references shell execution.

dist/main.jsView on unpkg · L433
26L27: // package.json L28: var package_default = { ... L37: prepublishOnly: "pnpm run build", L38: "ci:publish": "pnpm publish --access public", L39: "try-run": "pnpm run build && node dist/main.js" ... L133: // src/utils.ts L134: import { execFile, spawnSync } from "child_process"; L135: import fs from "fs"; ... L155: } L156: const shell2 = process2.env.SHELL || "/bin/sh"; L157: const result = spawnSync(shell2, ["-lc", `which ${command}`], {
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/main.jsView on unpkg · L26

Findings

2 Critical2 High3 Medium6 Low
CriticalRemote Asset Decode Executedist/main.js
CriticalTrigger Reachable Dangerous Capabilitydist/main.js
HighChild Processdist/main.js
HighShelldist/main.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowWeak Cryptodist/main.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowCopyleft License