Static Scan Results
scanned 1d ago · by rust-scannerStatic analysis flagged 11 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
One or more suspicious static signals were detected.
Decision evidence
public snapshotBehavioral surface
ChildProcessEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
Source & flagged code
3 flagged · loading sourcedist/index.jsView file
9import { z } from 'zod';
L10: import { execSync, spawn } from 'child_process';
L11: import { mkdtempSync, writeFileSync, rmSync, promises } from 'fs';
High
9import { z } from 'zod';
L10: import { execSync, spawn } from 'child_process';
L11: import { mkdtempSync, writeFileSync, rmSync, promises } from 'fs';
...
L153: error: integrationError,
L154: metadata: this.createMetadata(action, 0, 0)
L155: };
...
L1127: super(config);
L1128: this.apiUrl = config.env.DEEPAGENT_API_URL || "http://localhost:3000";
L1129: this.apiKey = config.env.DEEPAGENT_API_KEY || "";
...
L1240: }
L1241: return await response.json();
L1242: }
High
Credential Exfiltration
Source combines credential-like environment material and outbound requests; review data flow before blocking.
dist/index.jsView on unpkg · L91757this.logger.debug("Validating schema", { path: schemaPath });
L1758: const output = execSync(
L1759: `npx @almadar/cli validate "${schemaPath}" --format=json`,
L1760: {
High
Runtime Package Install
Package source invokes a package manager install command at runtime.
dist/index.jsView on unpkg · L1757Findings
4 High3 Medium4 Low
HighChild Processdist/index.js
HighShell
HighCredential Exfiltrationdist/index.js
HighRuntime Package Installdist/index.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings