Static Scan Results
scanned 3h ago · by rust-scannerStatic analysis flagged 10 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
One or more suspicious static signals were detected.
Decision evidence
public snapshotBehavioral surface
FilesystemNetworkShell
HighEntropyStringsUrlStrings
Source & flagged code
4 flagged · loading sourcepackage.jsonView file
•scripts.preinstall = npx only-allow pnpm
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkgdist/index.mjsView file
6import { fileURLToPath } from "node:url";
L7: import { execa } from "execa";
L8: //#region src/template.ts
High
485s.stop("pnpm-lock.yaml をコピーしました");
L486: s.start("pnpm install を実行しています...");
L487: await execa("pnpm", ["install", "--frozen-lockfile"], {
L488: cwd: outDir,
High
Runtime Package Install
Package source invokes a package manager install command at runtime.
dist/index.mjsView on unpkg · L485templates/nodejs/common/entrypoint.shView file
•path = [redacted].sh
kind = build_helper
sizeBytes = 34
magicHex = [redacted]
Medium
Ships Build Helper
Package ships non-JavaScript build or shell helper files.
templates/nodejs/common/entrypoint.shView on unpkgFindings
3 High3 Medium4 Low
HighInstall Time Lifecycle Scriptspackage.json
HighShelldist/index.mjs
HighRuntime Package Installdist/index.mjs
MediumNetwork
MediumShips Build Helpertemplates/nodejs/common/entrypoint.sh
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings