registry  /  social-autoposter  /  1.6.173

social-autoposter@1.6.173

Automated social posting pipeline for Reddit, X/Twitter, LinkedIn, and Moltbook. Install as a Claude Code agent skill.

Static Scan Results

scanned 4d ago · by rust-scanner

Static analysis flagged 14 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 18 file(s), 420 KB of source, external domains: 127.0.0.1, app.s4l.ai, astral.sh, dl.google.com, github.com, s4l.ai, www.apple.com, www.google.com

Source & flagged code

6 flagged · loading source
bin/cookie-helper.jsView file
13L14: const { spawn, spawnSync } = require('child_process'); L15: const fs = require('fs');
High
Child Process

Package source references child process execution.

bin/cookie-helper.jsView on unpkg · L13
13L14: const { spawn, spawnSync } = require('child_process'); L15: const fs = require('fs');
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/cookie-helper.jsView on unpkg · L13
bin/scheduler/launchd.jsView file
4const fs = require('fs'); L5: const { execSync, spawnSync } = require('child_process'); L6: const platform = require('../platform'); ... L32: \t<array> L33: \t\t<string>/bin/bash</string> L34: \t\t<string>${job.script}</string> ... L38: \t<key>StandardOutPath</key> L39: \t<string>${job.stdoutLog}</string> L40: \t<key>StandardErrorPath</key> ... L80: try { L81: const out = execSync('launchctl list', { stdio: 'pipe', maxBuffer: 8 * 1024 * 1024 }).toString(); L82: for (const line of out.split('\n').slice(1)) {
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

bin/scheduler/launchd.jsView on unpkg · L4
mcp/dist/screencast.jsView file
12* CSP widening, no localhost network access from the iframe, and no extra L13: * dependency: it uses Node's built-in global `WebSocket` (Node >= 21) and `fetch`. L14: * ... L18: */ L19: import { execFile } from "node:child_process"; L20: // Untyped indirection: Node ships a global WebSocket at runtime (>=21) but ... L27: const ports = []; L28: const env = process.env.TWITTER_CDP_URL || ""; L29: const m = env.match(/:(\d+)/);
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

mcp/dist/screencast.jsView on unpkg · L12
bin/cli.jsView file
813} L814: console.log(' installing MCP runtime deps (npm install --omit=dev in mcp/)'); L815: const npmRes = spawnSync('npm', ['install', '--omit=dev', '--no-audit', '--no-fund'], { L816: cwd: mcpDest,
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

bin/cli.jsView on unpkg · L813
skill/dm-outreach-reddit.shView file
path = skill/dm-outreach-reddit.sh kind = build_helper sizeBytes = 16928 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

skill/dm-outreach-reddit.shView on unpkg

Findings

4 High6 Medium4 Low
HighChild Processbin/cookie-helper.js
HighShell
HighSame File Env Network Executionmcp/dist/screencast.js
HighRuntime Package Installbin/cli.js
MediumDynamic Requirebin/cookie-helper.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencebin/scheduler/launchd.js
MediumShips Build Helperskill/dm-outreach-reddit.sh
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings