Static Scan Results
scanned 2h ago · by rust-scannerStatic analysis flagged 9 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
One or more suspicious static signals were detected.
Decision evidence
public snapshotBehavioral surface
ChildProcessEnvironmentVarsFilesystemShell
UrlStrings
Source & flagged code
4 flagged · loading sourcescripts/init.mjsView file
5import { fileURLToPath } from 'url';
L6: import { spawn } from 'child_process';
L7: import pc from 'picocolors';
High
75stdio: 'inherit',
L76: shell: true,
L77: });
High
72const npm = process.platform === 'win32' ? 'npm.cmd' : 'npm';
L73: const install = spawn(npm, ['install'], {
L74: cwd: projectPath,
...
L80: if (code !== 0) {
L81: reject(new Error(`npm install exited with code ${code}`));
L82: return;
High
Runtime Package Install
Package source invokes a package manager install command at runtime.
scripts/init.mjsView on unpkg · L72content/docker/ollama/watch.shView file
•path = content/docker/ollama/watch.sh
kind = build_helper
sizeBytes = 45
magicHex = [redacted]
Medium
Ships Build Helper
Package ships non-JavaScript build or shell helper files.
content/docker/ollama/watch.shView on unpkgFindings
3 High3 Medium3 Low
HighChild Processscripts/init.mjs
HighShellscripts/init.mjs
HighRuntime Package Installscripts/init.mjs
MediumEnvironment Vars
MediumShips Build Helpercontent/docker/ollama/watch.sh
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowUrl Strings