registry  /  shortcutxl  /  0.3.64

shortcutxl@0.3.64

An AI agent that lives on your computer and has Excel superpowers. Made by the [Shortcut](https://shortcut.ai) team.

Static Scan Results

scanned 4d ago · by rust-scanner

Static analysis flagged 23 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 812 file(s), 5.20 MB of source, external domains: 127.0.0.1, agent.shortcut.ai, ai-gateway.vercel.sh, analytics-staging.shortcut.ai, analytics.shortcut.ai, api-staging.shortcut.ai, api.anthropic.com, api.cerebras.ai, api.github.com, api.groq.com, api.kimi.com, api.minimax.io, api.minimaxi.com, api.openai.com, api.shortcut.ai, api.x.ai, api.z.ai, app.shortcut.ai, auth-staging.shortcut.ai, auth.shortcut.ai, chat.qwen.ai, claude.ai, cloud.gitlab.com, console.anthropic.com, dashscope.aliyuncs.com, distro.ibiblio.org, dotenvx.com, feross.org, generativelanguage.googleapis.com, git-scm.com, github.com, gitlab.com, jimmy.warting.se, mcp.notion.com, opencode.ai, openrouter.ai, registry.npmjs.org, router.huggingface.co, staging-agent.shortcut.ai, vestauth.com, www.apache.org, www.googleapis.com
Oversized source lightweight scan
dist/cli.js22.4 MB file, sampled 256 KB
FilesystemNetworkChildProcessEnvironmentVarsShellDynamicRequireHighEntropyStringsUrlStringsdotenvx.comfeross.orggithub.comjimmy.warting.sevestauth.comwww.apache.org

Source & flagged code

15 flagged · loading source
xll/python/Lib/site-packages/httpx/_urls.pyView file
336patternName = generic_password severity = medium line = 336 matchedText = username...ret"
Medium
Secret Pattern

Package contains a possible secret pattern.

xll/python/Lib/site-packages/httpx/_urls.pyView on unpkg · L336
agent-docs/examples/extensions/doom-overlay/doom-engine.tsView file
70const nativeRequire = createRequire(doomJsPath); L71: const moduleFunc = new Function( L72: 'module',
Low
Eval

Package source references a known benign dynamic code generation pattern.

agent-docs/examples/extensions/doom-overlay/doom-engine.tsView on unpkg · L70
dist/app/extensions/loader.jsView file
12import { createEventBus } from './event-bus.js'; L13: const require = createRequire(import.meta.url); L14: let _aliases = null;
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/app/extensions/loader.jsView on unpkg · L12
dist/app/shared/tools/execute-code/mog.jsView file
1/** L2: * MOG execute_code provider — execute TypeScript code against a headless spreadsheet engine.
Medium
Unsafe Vm Context

Package source executes code through a VM context API.

dist/app/shared/tools/execute-code/mog.jsView on unpkg · L1
dist/tui/render-trace.jsView file
214pid: process.pid, L215: cwd: process.cwd(), L216: platform: process.platform, L217: node: process.version,
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/tui/render-trace.jsView on unpkg · L214
xll/ShortcutXL.xllView file
path = xll/ShortcutXL.xll kind = native_binary sizeBytes = 83456 magicHex = [redacted]
Medium
Ships Native Binary

Package ships native binary artifacts.

xll/ShortcutXL.xllView on unpkg
xll/python/Scripts/pywin32_postinstall.pyView file
path = xll/python/Scripts/pywin32_postinstall.py kind = build_helper sizeBytes = 25736 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

xll/python/Scripts/pywin32_postinstall.pyView on unpkg
xll/python/python313.zipView file
path = xll/python/python313.zip kind = compressed_blob sizeBytes = 3803666 magicHex = [redacted]
Medium
Ships Compressed Blob

Package ships compressed or archive-like blobs.

xll/python/python313.zipView on unpkg
path = xll/python/python313.zip kind = nested_archive_needs_inspection sizeBytes = 3803666 magicHex = [redacted]
Low
Nested Archive Needs Inspection

Package ships a nested archive or MCP bundle that was inventoried but not recursively analyzed.

xll/python/python313.zipView on unpkg
user-docs/dist/shortcutxl-docs.pdfView file
path = user-docs/dist/shortcutxl-docs.pdf kind = high_entropy_blob sizeBytes = 716277 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

user-docs/dist/shortcutxl-docs.pdfView on unpkg
xll/python/Lib/site-packages/win32comext/axscript/test/testHost4Dbg.pyView file
path = xll/python/Lib/site-[redacted].py kind = payload_in_excluded_dir sizeBytes = 2735 magicHex = [redacted]
High
Payload In Excluded Dir

Package hides binary, compressed, or executable-looking payloads in test/fixture/hidden paths.

xll/python/Lib/site-packages/win32comext/axscript/test/testHost4Dbg.pyView on unpkg
dist/cli.jsView file
path = dist/cli.js kind = oversized_source_file sizeBytes = 23517956 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/cli.jsView on unpkg
path = dist/cli.js kind = oversized_cli_entrypoint sizeBytes = 23517956 magicHex = [redacted]
Medium
Oversized Cli Entrypoint

Package contains an oversized executable-looking CLI entrypoint.

dist/cli.jsView on unpkg
xll/python/Lib/site-packages/adodbapi/test/adodbapitestconfig.pyView file
162patternName = generic_password severity = medium line = 162 matchedText = _passwor...678"
Medium
Secret Pattern

Hardcoded password in xll/python/Lib/site-packages/adodbapi/test/adodbapitestconfig.py

xll/python/Lib/site-packages/adodbapi/test/adodbapitestconfig.pyView on unpkg · L162
xll/python/Lib/site-packages/adodbapi/test/test_adodbapi_dbapi20.pyView file
65patternName = generic_password severity = medium line = 65 matchedText = _passwor...678"
Medium
Secret Pattern

Hardcoded password in xll/python/Lib/site-packages/adodbapi/test/test_adodbapi_dbapi20.py

xll/python/Lib/site-packages/adodbapi/test/test_adodbapi_dbapi20.pyView on unpkg · L65

Findings

3 High12 Medium8 Low
HighShips High Entropy Blobuser-docs/dist/shortcutxl-docs.pdf
HighPayload In Excluded Dirxll/python/Lib/site-packages/win32comext/axscript/test/testHost4Dbg.py
HighOversized Source Filedist/cli.js
MediumSecret Patternxll/python/Lib/site-packages/httpx/_urls.py
MediumDynamic Requiredist/app/extensions/loader.js
MediumUnsafe Vm Contextdist/app/shared/tools/execute-code/mog.js
MediumNetwork
MediumEnvironment Vars
MediumShips Native Binaryxll/ShortcutXL.xll
MediumShips Build Helperxll/python/Scripts/pywin32_postinstall.py
MediumShips Compressed Blobxll/python/python313.zip
MediumOversized Cli Entrypointdist/cli.js
MediumStructural Risk Force Deep Review
MediumSecret Patternxll/python/Lib/site-packages/adodbapi/test/adodbapitestconfig.py
MediumSecret Patternxll/python/Lib/site-packages/adodbapi/test/test_adodbapi_dbapi20.py
LowScripts Present
LowEvalagent-docs/examples/extensions/doom-overlay/doom-engine.ts
LowWeak Cryptodist/tui/render-trace.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings
LowNested Archive Needs Inspectionxll/python/python313.zip