registry  /  vaaya-cli  /  0.1.0

vaaya-cli@0.1.0

Vaaya CLI — give your agent paid superpowers. One command installs the Vaaya MCP server into Claude Code, Claude Desktop, Cursor, and Codex: media & video generation, product demo videos, web search & scraping, deep/market research, GTM & lead enrichment,

Static Scan Results

scanned 4h ago · by rust-scanner

Static analysis flagged 7 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessShell
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 2.42 KB of source, external domains: vaaya.ai

Source & flagged code

3 flagged · loading source
bin/vaaya.mjsView file
7L8: import { spawnSync } from 'node:child_process' L9: import { createRequire } from 'node:module'
High
Child Process

Package source references child process execution.

bin/vaaya.mjsView on unpkg · L7
7L8: import { spawnSync } from 'node:child_process' L9: import { createRequire } from 'node:module' L10: L11: const { version } = createRequire(import.meta.url)('../package.json') L12: L13: const HELP = `vaaya ${version} — give your agent paid superpowers (https://vaaya.ai) L14: ... L55: stdio: 'inherit', L56: shell: process.platform === 'win32', L57: })
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

bin/vaaya.mjsView on unpkg · L7
53const args = cmd === 'serve' ? rest : [cmd, ...rest] L54: const result = spawnSync('npx', ['-y', '@vaaya/mcp@latest', ...args], { L55: stdio: 'inherit',
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

bin/vaaya.mjsView on unpkg · L53

Findings

4 High1 Medium2 Low
HighChild Processbin/vaaya.mjs
HighShell
HighSandbox Evasion Gated Capabilitybin/vaaya.mjs
HighRuntime Package Installbin/vaaya.mjs
MediumStructural Risk Force Deep Review
LowScripts Present
LowUrl Strings