Static Scan Results
scanned 7h ago · by rust-scannerStatic analysis flagged 13 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
One or more suspicious static signals were detected.
Decision evidence
public snapshotBehavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
NoLicense
Source & flagged code
4 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = node ./bin/baryon.js _welcome || true
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkg•scripts.postinstall = node ./bin/baryon.js _welcome || true
Medium
Ambiguous Install Lifecycle Script
Install-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgbin/baryon.jsView file
20import { checkLatest, whoami } from "../src/api.js";
L21: import { spawnSync } from "node:child_process";
L22: import { createRequire } from "node:module";
High
src/commands.jsView file
256return new Promise((resolve) => {
L257: const child = spawn("baryon-edge", args, {
L258: stdio: "inherit",
...
L262: log(` ${sym.warn} ${t("edge.notInstalled")}`);
L263: log(` ${c.lime("npm i -g github:baryonlabs/baryon-edge")}`);
L264: resolve(1);
High
Runtime Package Install
Package source invokes a package manager install command at runtime.
src/commands.jsView on unpkg · L256Findings
4 High4 Medium5 Low
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processbin/baryon.js
HighShell
HighRuntime Package Installsrc/commands.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License