registry  /  tinyposter-reels  /  0.1.1

tinyposter-reels@0.1.1

One-command installer for the Tinyposter Trial Reels skill (Claude Code + Codex)

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 7 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 19 file(s), 61.1 KB of source, external domains: claude.com, developers.openai.com, nodejs.org, tinyposter.app

Source & flagged code

1 flagged · loading source
src/mcp.mjsView file
2// wrapped: a broken agent CLI downgrades to a printed hint, never a crash. L3: import { spawnSync } from "node:child_process"; L4: import { color, info, ok, warn, fail } from "./ui.mjs"; L5: L6: const MCP_URL = "https://tinyposter.app/api/mcp"; L7: L8: function runCli(cmd, args, { timeout = 60000, inherit = false } = {}) { L9: const isWin = process.platform === "win32"; L10: try { ... L17: if (res.error) return { ok: false, out: "", detail: res.error.message }; L18: const out = `${res.stdout || ""}\n${res.stderr || ""}`; L19: const lastLine = (res.stderr || res.stdout || "").trim().split("\n").pop() || "";
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

src/mcp.mjsView on unpkg · L2

Findings

1 High3 Medium3 Low
HighSandbox Evasion Gated Capabilitysrc/mcp.mjs
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings