Static Scan Results
scanned 6d ago · by rust-scannerStatic analysis flagged 25 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Decision evidence
public snapshotSource & flagged code
16 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgInstall-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgPackage contains a critical-looking secret pattern.
clis/douyin/_shared/tos-upload-short-read.test.jsView on unpkg · L47AWS access key ID in clis/douyin/_shared/tos-upload-short-read.test.js
clis/douyin/_shared/tos-upload-short-read.test.jsView on unpkg · L47AWS access key ID in clis/douyin/_shared/tos-upload-short-read.test.js
clis/douyin/_shared/tos-upload-short-read.test.jsView on unpkg · L67Package source references child process execution.
dist/src/external.jsView on unpkg · L4Package source references a known benign dynamic code generation pattern.
dist/src/weixin-download.test.jsView on unpkg · L22Package source references dynamic require/import behavior.
dist/src/discovery.jsView on unpkg · L256Package source executes code through a VM context API.
clis/douban/utils.test.jsView on unpkg · L109Package source references weak cryptographic algorithms.
clis/flomo/memos.jsView on unpkg · L76Source writes installer persistence such as shell profile or service configuration.
scripts/postinstall.jsView on unpkg · L7Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.
dist/src/cli.jsView on unpkg · L100Hardcoded password in dist/src/observation/redaction.test.js
dist/src/observation/redaction.test.jsView on unpkg · L28AWS access key ID in clis/douyin/_shared/tos-upload.test.js
clis/douyin/_shared/tos-upload.test.jsView on unpkg · L149AWS access key ID in clis/douyin/_shared/tos-upload.test.js
clis/douyin/_shared/tos-upload.test.jsView on unpkg · L166