registry  /  torollo  /  1.1.1

torollo@1.1.1

Interactive visual system design learning lab and container supervisor.

Static Scan Results

scanned 9d ago · by rust-scanner

Static analysis flagged 12 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 28 file(s), 1.20 MB of source, external domains: get.docker.com, react.dev, reactflow.dev, socket.io, www.docker.com, www.w3.org

Source & flagged code

3 flagged · loading source
bin/cli.jsView file
2L3: const { execSync, exec } = require('child_process'); L4: const path = require('path');
High
Child Process

Package source references child process execution.

bin/cli.jsView on unpkg · L2
115L116: const { spawn } = require('child_process'); L117: L118: const backendProcess = spawn('node', [path.join(backendPath, 'dist/server.js')], { L119: env: { ...process.env, PORT: backendPort }, L120: stdio: 'ignore' ... L130: console.log(`${colors.green}${colors.bold}[*] Torollo System Lab is ready!${colors.reset}`); L131: console.log(`${colors.cyan}[>] Access it here: ${colors.reset}${colors.bold}http://localhost:${frontendPort}${colors.reset}`); L132: console.log(`${colors.cyan}================================================${colors.reset}\n`);
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

bin/cli.jsView on unpkg · L115
2L3: const { execSync, exec } = require('child_process'); L4: const path = require('path'); L5: const fs = require('fs'); L6: const net = require('net'); L7: // concurrently removed ... L13: function openUrl(url) { L14: const start = process.platform === 'darwin' ? 'open' : process.platform === 'win32' ? 'start ""' : 'xdg-open'; L15: exec(`${start} ${url}`); ... L94: L95: const backendPath = path.join(__dirname, '../backend'); L96: const frontendPath = path.join(__dirname, '../frontend');
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

bin/cli.jsView on unpkg · L2

Findings

4 High3 Medium5 Low
HighChild Processbin/cli.js
HighShell
HighSame File Env Network Executionbin/cli.js
HighSandbox Evasion Gated Capabilitybin/cli.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings