Static Scan Results
scanned 3h ago · by rust-scannerStatic analysis flagged 10 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
One or more suspicious static signals were detected.
Decision evidence
public snapshotBehavioral surface
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
NoLicense
Source & flagged code
2 flagged · loading sourcedist/invoke-command.jsView file
298const bundleUrl = `${pathToFileURL(bundle.bundlePath).href}?invoke=${randomUUID()}`;
L299: const userModule = (await import(bundleUrl));
L300: const handler = extractBundleHandler(userModule, preflight.persona.id);
Medium
Dynamic Require
Package source references dynamic require/import behavior.
dist/invoke-command.jsView on unpkg · L298dist/cli.jsView file
45package = @agentworkforce/cli; repositoryIdentity = workforce; dependency = @agentworkforce/persona-kit
L45: main().catch(async (err) => {
L46: const { MissingPersonaInputError } = await import('@agentworkforce/persona-kit');
L47: if (err instanceof MissingPersonaInputError) {
High
Copied Package Dependency Bridge
Package metadata claims a different repository identity while copied source loads a runtime dependency bridge.
dist/cli.jsView on unpkg · L45Findings
1 High4 Medium5 Low
HighCopied Package Dependency Bridgedist/cli.js
MediumDynamic Requiredist/invoke-command.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License