Static Scan Results
scanned 6d ago · by rust-scannerStatic analysis flagged 14 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
One or more suspicious static signals were detected.
Decision evidence
public snapshotBehavioral surface
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShellWebSocket
HighEntropyStringsMinifiedObfuscatedTelemetryUrlStrings
Source & flagged code
4 flagged · loading sourcebin/alphaclaw.jsView file
6const path = require("path");
L7: const { execFileSync, execSync } = require("child_process");
L8: const {
High
171// In environments where the container filesystem is ephemeral (Railway, etc.),
L172: // the npm install from the update endpoint is lost on restart. This re-runs it
L173: // from the fresh container using the persistent volume marker.
...
L185: try {
L186: execSync(
L187: "npm install @chrysb/alphaclaw@latest --omit=dev --prefer-online",
High
Runtime Package Install
Package source invokes a package manager install command at runtime.
bin/alphaclaw.jsView on unpkg · L1713L4: const fs = require("fs");
L5: const os = require("os");
Medium
Dynamic Require
Package source references dynamic require/import behavior.
bin/alphaclaw.jsView on unpkg · L3lib/setup/hourly-git-sync.shView file
•path = lib/setup/hourly-git-sync.sh
kind = build_helper
sizeBytes = 3183
magicHex = [redacted]
Medium
Ships Build Helper
Package ships non-JavaScript build or shell helper files.
lib/setup/hourly-git-sync.shView on unpkgFindings
3 High5 Medium6 Low
HighChild Processbin/alphaclaw.js
HighShell
HighRuntime Package Installbin/alphaclaw.js
MediumDynamic Requirebin/alphaclaw.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperlib/setup/hourly-git-sync.sh
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings