Static Scan Results
scanned 3h ago · by rust-scannerStatic analysis flagged 10 finding(s) at 86.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
High-risk behavior combination matched malicious policy.
Decision evidence
public snapshotBehavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
WildcardDependency
Source & flagged code
2 flagged · loading sourcesrc/cli.tsView file
20import { basename, dirname, extname, join } from 'path'
L21: import { spawn, spawnSync } from 'child_process'
L22: import { selfInstall } from './selfInstall.ts'
...
L60: // (so a hung call rejects instead of hanging) plus a few backoff retries.
L61: const OUTBOUND_SEND_TIMEOUT_MS = Number(process.env.TELEGRAM_OUTBOUND_TIMEOUT_MS ?? '') || 30_000
L62: const OUTBOUND_SEND_RETRIES = Number(process.env.TELEGRAM_OUTBOUND_RETRIES ?? '') || 2
...
L190: intelligence: Intelligence
L191: // Private runtime-plugin config (owner: telegram-runtime; design sync with
L192: // iapeer 2026-06-11, topic aliases-section-design). Named for the MECHANISM,
...
L328: function printJson(value: unknown): void {
L329: process.stdout.write(`${JSON.stringify(value, null, 2)}\n`)
L330: }
Critical
Command Output Exfiltration
Source executes local commands and sends command output to an external endpoint.
src/cli.tsView on unpkg · L2020import { basename, dirname, extname, join } from 'path'
L21: import { spawn, spawnSync } from 'child_process'
L22: import { selfInstall } from './selfInstall.ts'
High
Findings
1 Critical2 High3 Medium4 Low
CriticalCommand Output Exfiltrationsrc/cli.ts
HighChild Processsrc/cli.ts
HighShell
MediumNetwork
MediumEnvironment Vars
MediumWildcard Dependency
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings