Static Scan Results
scanned 2h ago · by rust-scannerStatic analysis flagged 10 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
One or more suspicious static signals were detected.
Decision evidence
public snapshotBehavioral surface
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNativeBindingsNetworkShell
HighEntropyStringsUrlStrings
NoLicense
Source & flagged code
2 flagged · loading sourcedist/version.jsView file
15import { createRequire } from 'node:module';
L16: const require = createRequire(import.meta.url);
L17: export const OWN_VERSION = (() => {
Medium
Dynamic Require
Package source references dynamic require/import behavior.
dist/version.jsView on unpkg · L15dist/api.jsView file
4import { OWN_VERSION } from './version.js';
L5: const API_URL = process.env.DAILEY_API_URL || 'https://os.dailey.cloud/api';
L6: const DAILEY_EMAIL = process.env.DAILEY_EMAIL;
...
L17: let dir;
L18: if (process.platform === 'darwin') {
L19: dir = join(homedir(), 'Library', 'Preferences', name);
L20: }
...
L26: }
L27: const cfg = JSON.parse(readFileSync(join(dir, 'config.json'), 'utf8'));
L28: const tok = typeof cfg?.token === 'string' ? cfg.token.trim() : '';
...
L66: // MCP-stdio invocation and emit a JSON-RPC-shaped error instead of just
L67: // dying with a stderr line that Claude Code doesn't surface.
High
Sandbox Evasion Gated Capability
Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.
dist/api.jsView on unpkg · L4Findings
1 High4 Medium5 Low
HighSandbox Evasion Gated Capabilitydist/api.js
MediumDynamic Requiredist/version.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License