registry  /  univer-cli  /  0.3.2

univer-cli@0.3.2

⚠ Under review

Command-line tools for local Univer workbook automation.

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 21 finding(s) at 86.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
Manifest
NoLicense
scanned 182 file(s), 7.90 MB of source, external domains: 127.0.0.1, example.com, github.com, redi.wzhu.dev, univer.ai
Oversized source lightweight scan
chunks/vendor-COck-QwK.js11.6 MB file, sampled 256 KB
FilesystemMinified
render-runtime/assets/index-BDdLIBKr.js18.1 MB file, sampled 256 KB
NetworkChildProcessDynamicRequireHighEntropyStringsMinifiedUrlStringsredi.wzhu.dev
view/assets/vendor-DoabQ6r1.js23.0 MB file, sampled 256 KB
ChildProcessMinifiedUrlStringsredi.wzhu.dev

Source & flagged code

10 flagged · loading source
package.jsonView file
scripts.postinstall = node ./internal/product-telemetry.js postinstall
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node ./internal/product-telemetry.js postinstall
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
bin/univer.jsView file
4import { dirname, join, resolve } from "node:path"; L5: import { spawn } from "node:child_process"; L6: import { fileURLToPath } from "node:url";
High
Child Process

Package source references child process execution.

bin/univer.jsView on unpkg · L4
4Cross-file remote execution chain: bin/univer.js spawns internal/product-telemetry.js; helper contains network access plus dynamic code execution. L4: import { dirname, join, resolve } from "node:path"; L5: import { spawn } from "node:child_process"; L6: import { fileURLToPath } from "node:url"; ... L10: if (manager === "bun") { L11: process.env.UNIVER_MANAGED_BY_BUN = "1"; L12: delete process.env.UNIVER_MANAGED_BY_NPM; ... L20: const { runPublicCli } = await import("../internal/cli.js"); L21: process.exitCode = await runPublicCli({ L22: args: process.argv.slice(2), ... L50: const configPath = resolve(dirname(telemetryEntry), "product-telemetry.json"); L51: const config = JSON.parse(readFileSync(configPath, "utf8")); L52: return typeof config.endpoint === "string" && config.endpoint.trim().length > 0;
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

bin/univer.jsView on unpkg · L4
chunks/build-id-DLcSEx-D.jsView file
1(function(_0x24ff03,_0x32395e){const _0xc65257=_0x2695,_0x488c2c=_0x24ff03();while(!![]){try{const _0x5dfded=parseInt(_0xc65257(0x1c3))/0x1*(parseInt(_0xc65257(0x1c1))/0x2)+-parseI...
Low
Weak Crypto

Package source references weak cryptographic algorithms.

chunks/build-id-DLcSEx-D.jsView on unpkg · L1
internal/product-telemetry.jsView file
1#!/usr/bin/env node L2: const _0x23c586=_0x10ec;(function(_0x3ebab9,_0x2ab847){const _0x30e620=_0x10ec,_0x36c6b4=_0x3ebab9();while(!![]){try{const _0x53c3a6=-parseInt(_0x30e620(0xc5))/0x1*(-parseInt(_0x30...
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

internal/product-telemetry.jsView on unpkg · L1
1#!/usr/bin/env node L2: const _0x23c586=_0x10ec;(function(_0x3ebab9,_0x2ab847){const _0x30e620=_0x10ec,_0x36c6b4=_0x3ebab9();while(!![]){try{const _0x53c3a6=-parseInt(_0x30e620(0xc5))/0x1*(-parseInt(_0x30...
High
Obfuscated Payload Loader

Source contains an obfuscator-style string-array loader that reconstructs and executes hidden code.

internal/product-telemetry.jsView on unpkg · L1
view/assets/vendor-GhUuOKHB.css.gzView file
path = view/assets/vendor-GhUuOKHB.css.gz kind = high_entropy_blob sizeBytes = 19522 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

view/assets/vendor-GhUuOKHB.css.gzView on unpkg
path = view/assets/vendor-GhUuOKHB.css.gz kind = compressed_blob sizeBytes = 19522 magicHex = [redacted]
Medium
Ships Compressed Blob

Package ships compressed or archive-like blobs.

view/assets/vendor-GhUuOKHB.css.gzView on unpkg
chunks/vendor-COck-QwK.jsView file
path = chunks/vendor-COck-QwK.js kind = oversized_source_file sizeBytes = 12128716 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

chunks/vendor-COck-QwK.jsView on unpkg

Findings

9 High6 Medium6 Low
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processbin/univer.js
HighShell
HighSame File Env Network Executioninternal/product-telemetry.js
HighObfuscated Payload Loaderinternal/product-telemetry.js
HighCross File Remote Execution Contextbin/univer.js
HighObfuscated
HighShips High Entropy Blobview/assets/vendor-GhUuOKHB.css.gz
HighOversized Source Filechunks/vendor-COck-QwK.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Require
MediumNetwork
MediumEnvironment Vars
MediumShips Compressed Blobview/assets/vendor-GhUuOKHB.css.gz
MediumStructural Risk Force Deep Review
LowScripts Present
LowWeak Cryptochunks/build-id-DLcSEx-D.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License