Static Scan Results
scanned 2h ago · by rust-scannerStatic analysis flagged 11 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
One or more suspicious static signals were detected.
Decision evidence
public snapshotBehavioral surface
ChildProcessEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
Source & flagged code
4 flagged · loading sourcesrc/lib/setup-codegraph.mjsView file
1import { execSync, spawnSync } from 'child_process'
L2: import { readFileSync, writeFileSync } from 'fs'
High
Child Process
Package source references child process execution.
src/lib/setup-codegraph.mjsView on unpkg · L1src/commands/ccdx/setup.jsView file
107try {
L108: execSync('lsof -ti:3131 | xargs kill -9 2>/dev/null || true', { shell: true, stdio: 'pipe' })
L109: } catch (_) {}
High
src/lib/toolkit.jsView file
71log.info('Installing starter kit dependencies…')
L72: execSync('npm install -q', { cwd: dest, stdio: 'pipe' })
L73: }
High
Runtime Package Install
Package source invokes a package manager install command at runtime.
src/lib/toolkit.jsView on unpkg · L71setup.shView file
•path = setup.sh
kind = build_helper
sizeBytes = 25006
magicHex = [redacted]
Medium
Findings
3 High4 Medium4 Low
HighChild Processsrc/lib/setup-codegraph.mjs
HighShellsrc/commands/ccdx/setup.js
HighRuntime Package Installsrc/lib/toolkit.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helpersetup.sh
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings