Static Scan Results
scanned 6h ago · by rust-scannerStatic analysis flagged 8 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
One or more suspicious static signals were detected.
Decision evidence
public snapshotBehavioral surface
ChildProcessDynamicRequireEnvironmentVarsNetworkShell
HighEntropyStringsUrlStrings
Source & flagged code
2 flagged · loading sourcedist/mcp.cjsView file
2L3: var core = require('@agentskit/core');
L4:
Medium
Dynamic Require
Package source references dynamic require/import behavior.
dist/mcp.cjsView on unpkg · L2dist/index.jsView file
2import { resolve, relative, isAbsolute, sep } from 'path';
L3: import { execFile } from 'child_process';
L4: import { promisify } from 'util';
...
L9: async function serperSearch(query, apiKey, maxResults) {
L10: const response = await fetch("https://google.serper.dev/search", {
L11: method: "POST",
...
L15: },
L16: body: JSON.stringify({ q: query, num: maxResults })
L17: });
...
L23: }
L24: const data = await response.json();
L25: return (data.organic ?? []).map((r) => ({
High
Cloud Metadata Access
Source reaches cloud instance metadata or link-local credential endpoints.
dist/index.jsView on unpkg · L2Findings
1 High4 Medium3 Low
HighCloud Metadata Accessdist/index.js
MediumDynamic Requiredist/mcp.cjs
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings