Static Scan Results
scanned 6h ago · by rust-scannerStatic analysis flagged 10 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
One or more suspicious static signals were detected.
Decision evidence
public snapshotBehavioral surface
ChildProcessDynamicRequireEnvironmentVarsFilesystemShell
HighEntropyStringsUrlStrings
Source & flagged code
3 flagged · loading sourcedist/commands/deploy.jsView file
1// @celsian/cli — Deploy command: generates config files and deploys to platform CLIs
L2: import { execSync } from "node:child_process";
L3: import { existsSync, mkdirSync, writeFileSync } from "node:fs";
High
Child Process
Package source references child process execution.
dist/commands/deploy.jsView on unpkg · L1354try {
L355: execSync("npx celsian build", { cwd, stdio: "inherit" });
L356: }
High
Runtime Package Install
Package source invokes a package manager install command at runtime.
dist/commands/deploy.jsView on unpkg · L354dist/commands/routes.jsView file
23// ("Top-level await is currently not supported with the cjs output format").
L24: const loaderScript = `const mod = await import(${JSON.stringify(`file://${fullEntry}`)});
L25: const app = mod.default ?? mod.app;
Medium
Dynamic Require
Package source references dynamic require/import behavior.
dist/commands/routes.jsView on unpkg · L23Findings
3 High3 Medium4 Low
HighChild Processdist/commands/deploy.js
HighShell
HighRuntime Package Installdist/commands/deploy.js
MediumDynamic Requiredist/commands/routes.js
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings