Static Scan Results
scanned 8d ago · by rust-scannerStatic analysis flagged 14 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
One or more suspicious static signals were detected.
Decision evidence
public snapshotBehavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsMinifiedObfuscatedProtestwareTelemetryUrlStrings
Source & flagged code
3 flagged · loading sourcedist/chunk-CVXBE3ST.jsView file
25880// ../integration-commoncrawl/src/plugin-installer.ts
L25881: import { spawn } from "child_process";
L25882: import fs4 from "fs/promises";
High
Child Process
Package source references child process execution.
dist/chunk-CVXBE3ST.jsView on unpkg · L25880dist/cli.jsView file
10651databasePath,
L10652: apiUrl: env.apiUrl || existingConfig?.apiUrl || `http://localhost:${process.env.CANONRY_PORT || "4100"}`,
L10653: providers: Object.keys(mergedProviders ?? {}),
...
L10666: // src/commands/daemon.ts
L10667: import { spawn } from "child_process";
L10668: import fs10 from "fs";
High
Same File Env Network Execution
A single source file combines environment access, network access, and code or shell execution; review context before blocking.
dist/cli.jsView on unpkg · L10651dist/chunk-4TQOZJPF.jsView file
187var _require = createRequire(import.meta.url);
L188: var { version: VERSION } = _require("../package.json");
L189: var TELEMETRY_ENDPOINT = "https://canonry.ai/api/telemetry";
L190: var TIMEOUT_MS = 3e3;
...
L201: function isTelemetryEnabled() {
L202: if (process.env.CANONRY_TELEMETRY_DISABLED === "1") return false;
L203: if (process.env.DO_NOT_TRACK === "1") return false;
L204: if (process.env.CI) return false;
L205: if (!configExists()) return true;
...
L243: try {
L244: const hostname = os.hostname() || "";
L245: const mac = firstNonInternalMac();
High
Host Fingerprint Exfiltration
Source collects local host identity data and sends it to an external endpoint.
dist/chunk-4TQOZJPF.jsView on unpkg · L187Findings
4 High4 Medium6 Low
HighChild Processdist/chunk-CVXBE3ST.js
HighShell
HighSame File Env Network Executiondist/cli.js
HighHost Fingerprint Exfiltrationdist/chunk-4TQOZJPF.js
MediumNetwork
MediumEnvironment Vars
MediumProtestware
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings