registry  /  terse-cli  /  0.2.4

terse-cli@0.2.4

CLI for scaffolding, testing, and deploying [Terse](https://useterse.ai) workflows.

Static Scan Results

scanned 1d ago · by rust-scanner

Static analysis flagged 12 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 106 file(s), 563 KB of source, external domains: api.useterse.ai, api.workos.com, app.useterse.ai, docs.useterse.ai, github.com, pypi.org, raw.githubusercontent.com, registry.npmjs.org, your-app.example.com

Source & flagged code

4 flagged · loading source
dist/providers/typescript/durableRuntime.jsView file
19setWorld(world); L20: const require = createRequire(import.meta.url); L21: world.registerHandler("__wkf_step_", require(path.join(out, "steps.cjs")).POST);
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/providers/typescript/durableRuntime.jsView on unpkg · L19
dist/commands/target.jsView file
8const BLOCK_END = "# <<< terse target <<<"; L9: const LOCAL_BACKEND_URL = "http://localhost:3001"; L10: const LOCAL_FRONTEND_URL = "http://localhost:5173"; L11: export function targetStatus() { L12: const backendEnv = process.env.TERSE_BACKEND_URL; L13: const frontendEnv = process.env.TERSE_FRONTEND_URL; ... L34: if (!rcPath) { L35: console.log(chalk.yellow("Could not detect a shell rc file (~/.zshrc or ~/.bashrc).")); L36: console.log("Add these lines to your shell config manually:\n"); ... L110: const shell = process.env.SHELL ?? ""; L111: const home = os.homedir(); L112: if (shell.includes("zsh"))
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/commands/target.jsView on unpkg · L8
dist/auth.jsView file
2import chalk from "chalk"; L3: import { exec } from "node:child_process"; L4: import fs from "node:fs"; ... L9: import { BACKEND_URL, WORKOS_CLIENT_ID } from "./config.js"; L10: const DEVICE_AUTH_URL = "https://api.workos.com/user_management/authorize/device"; L11: const TOKEN_URL = "https://api.workos.com/user_management/authenticate"; ... L16: function openInBrowser(url) { L17: const platform = process.platform; L18: const cmd = platform === "darwin" ? "open" : platform === "win32" ? "start" : "xdg-open"; ... L24: headers: { "Content-Type": "application/x-www-form-urlencoded" }, L25: body: new URLSearchParams({ client_id: WORKOS_CLIENT_ID }) L26: });
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/auth.jsView on unpkg · L2
dist/commands/install.jsView file
matchType = previous_version_dangerous_delta matchedPackage = terse-cli@0.1.70 matchedIdentity = npm:dGVyc2UtY2xp:0.1.70 similarity = 0.821 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/commands/install.jsView on unpkg

Findings

2 High5 Medium5 Low
HighSandbox Evasion Gated Capabilitydist/auth.js
HighPrevious Version Dangerous Deltadist/commands/install.js
MediumDynamic Requiredist/providers/typescript/durableRuntime.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/commands/target.js
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License