registry  /  sortlist-max-cli  /  1.5.0

sortlist-max-cli@1.5.0

Max CLI - Command line interface for the Max lead intelligence API. Discover leads, manage subscriptions, and automate workflows from the terminal or AI agents.

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 11 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 36.3 KB of source, external domains: acme.com, api.yourmax.ai, example.com, github.com, www.linkedin.com, yourmax.ai

Source & flagged code

3 flagged · loading source
dist/index.jsView file
80// src/oauth.ts L81: var import_child_process = require("child_process"); L82: var import_node_fetch = __toESM(require("node-fetch"));
High
Child Process

Package source references child process execution.

dist/index.jsView on unpkg · L80
70function getConfig() { L71: const envKey = process.env.SIGNALS_API_KEY; L72: if (envKey) return { apiKey: envKey }; ... L80: // src/oauth.ts L81: var import_child_process = require("child_process"); L82: var import_node_fetch = __toESM(require("node-fetch")); ... L84: function oauthBaseUrl() { L85: return (process.env.SIGNALS_OAUTH_URL || "https://yourmax.ai").replace(/\/$/, ""); L86: }
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/index.jsView on unpkg · L70
36var import_path = require("path"); L37: var CONFIG_DIR = (0, import_path.join)((0, import_os.homedir)(), ".signals"); L38: var CONFIG_FILE = (0, import_path.join)(CONFIG_DIR, "config.json"); ... L50: try { L51: const data = JSON.parse((0, import_fs.readFileSync)(CONFIG_FILE, "utf-8")); L52: const config = {}; ... L70: function getConfig() { L71: const envKey = process.env.SIGNALS_API_KEY; L72: if (envKey) return { apiKey: envKey }; ... L80: // src/oauth.ts L81: var import_child_process = require("child_process"); L82: var import_node_fetch = __toESM(require("node-fetch"));
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/index.jsView on unpkg · L36

Findings

3 High3 Medium5 Low
HighChild Processdist/index.js
HighSame File Env Network Executiondist/index.js
HighSandbox Evasion Gated Capabilitydist/index.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings