Static Scan Results
scanned 3h ago · by rust-scannerStatic analysis flagged 12 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
One or more suspicious static signals were detected.
Decision evidence
public snapshotBehavioral surface
ChildProcessEnvironmentVarsEvalFilesystemNetworkShellWebSocket
HighEntropyStringsUrlStrings
NoLicense
Source & flagged code
3 flagged · loading sourcesrc/vite/plugin.jsView file
33*/
L34: import { exec, execFileSync } from "node:child_process";
L35: import { existsSync, readFileSync, writeFileSync } from "node:fs";
High
Child Process
Package source references child process execution.
src/vite/plugin.jsView on unpkg · L33403);
L404: const cmd = `npx tsx ${JSON.stringify(scriptPath)} --site ${schemaSiteName}`;
L405: exec(cmd, { cwd }, (err) => {
L406: schemaInFlight = false;
High
Runtime Package Install
Package source invokes a package manager install command at runtime.
src/vite/plugin.jsView on unpkg · L403src/sdk/workerEntry.tsView file
472if (data.args && data.args.script) {
L473: try { eval(data.args.script); } catch(e) { console.error("[deco] inject error:", e); }
L474: }
Low
Eval
Package source references a known benign dynamic code generation pattern.
src/sdk/workerEntry.tsView on unpkg · L472Findings
3 High3 Medium6 Low
HighChild Processsrc/vite/plugin.js
HighShell
HighRuntime Package Installsrc/vite/plugin.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowEvalsrc/sdk/workerEntry.ts
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License