registry  /  turbollm  /  1.6.3

turbollm@1.6.3

TurboLLM — local LLM platform: run any inference engine auto-tuned to your GPU, with a web UI and OpenAI/Anthropic-compatible API. Point Claude Code at your own machine in one command.

Static Scan Results

scanned 7d ago · by rust-scanner

Static analysis flagged 16 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedObfuscatedProtestwareTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 85 file(s), 4.96 MB of source, external domains: 127.0.0.1, api.github.com, api.githubcopilot.com, api.tavily.com, chevrotain.io, cmake.org, developer.nvidia.com, en.wikipedia.org, gcc.gnu.org, git-scm.com, github.com, huggingface.co, kagi.com, langium.org, mcp.apify.com, mcp.atlassian.com, mcp.cloudflare.com, mcp.linear.app, mcp.mixpanel.com, mcp.neon.tech, mcp.stripe.com, mcp.supabase.com, mcp.zapier.com, nodejs.org, pypi.org, radix-ui.com, react.dev, registry.npmjs.org, visualstudio.microsoft.com, www.ibm.com, www.w3.org

Source & flagged code

5 flagged · loading source
dist/cli.jsView file
3// src/cli.ts L4: import { spawn as spawn5 } from "child_process"; L5: import { openSync as openSync3, readFileSync as readFileSync11 } from "fs";
High
Child Process

Package source references child process execution.

dist/cli.jsView on unpkg · L3
472const ps = `Expand-Archive -LiteralPath '${archive.replace(/'/g, "''")}' -DestinationPath '${destDir.replace(/'/g, "''")}' -Force`; L473: await execFileP("powershell", ["-NoProfile", "-NonInteractive", "-Command", ps], { maxBuffer: 16 * 1024 * 1024 }); L474: } else {
High
Shell

Package source references shell execution.

dist/cli.jsView on unpkg · L472
9557// src/engines/build-prereqs.ts L9558: import { execFile as execFile8 } from "child_process"; L9559: import { delimiter, join as join18 } from "path"; ... L9563: const dirs = toolchainDirs.map((d) => d.trim()).filter(Boolean); L9564: if (dirs.length === 0) return { ...process.env }; L9565: const env = { ...process.env }; ... L9570: var INSTALL_URLS = { L9571: git: "https://git-scm.com/downloads", L9572: cmake: "https://cmake.org/download/",
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/cli.jsView on unpkg · L9557
3// src/cli.ts L4: import { spawn as spawn5 } from "child_process"; L5: import { openSync as openSync3, readFileSync as readFileSync11 } from "fs"; ... L24: function legacyDataDir() { L25: const base2 = process.platform === "win32" ? process.env.APPDATA || join(homedir(), "AppData", "Roaming") : process.platform === "darwin" ? join(homedir(), "Library", "Application ... L26: return join(base2, "turbollm"); ... L50: if (!existsSync(cfgPath)) return; L51: const cfg2 = JSON.parse(readFileSync(cfgPath, "utf8")); L52: let changed = false; ... L289: if (c.comfyui.url && !/^https?:\/\//i.test(c.comfyui.url)) { L290: throw new ValueError("comfyui.url", "must be an http(s):// origin (e.g. http://127.0.0.1:8188)"); L291: }
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/cli.jsView on unpkg · L3
3// src/cli.ts L4: import { spawn as spawn5 } from "child_process"; L5: import { openSync as openSync3, readFileSync as readFileSync11 } from "fs"; ... L24: function legacyDataDir() { L25: const base2 = process.platform === "win32" ? process.env.APPDATA || join(homedir(), "AppData", "Roaming") : process.platform === "darwin" ? join(homedir(), "Library", "Application ... L26: return join(base2, "turbollm"); ... L50: if (!existsSync(cfgPath)) return; L51: const cfg2 = JSON.parse(readFileSync(cfgPath, "utf8")); L52: let changed = false; ... L289: if (c.comfyui.url && !/^https?:\/\//i.test(c.comfyui.url)) { L290: throw new ValueError("comfyui.url", "must be an http(s):// origin (e.g. http://127.0.0.1:8188)"); L291: }
Medium
Unsafe Vm Context

Package source executes code through a VM context API.

dist/cli.jsView on unpkg · L3

Findings

4 High5 Medium7 Low
HighChild Processdist/cli.js
HighShelldist/cli.js
HighSame File Env Network Executiondist/cli.js
HighSandbox Evasion Gated Capabilitydist/cli.js
MediumUnsafe Vm Contextdist/cli.js
MediumNetwork
MediumEnvironment Vars
MediumProtestware
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings