Static Scan Results
scanned 2h ago · by rust-scannerStatic analysis flagged 13 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
One or more suspicious static signals were detected.
Decision evidence
public snapshotBehavioral surface
ChildProcessEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
NoLicense
Source & flagged code
4 flagged · loading sourcedist/index.jsView file
87import { fileURLToPath as fileURLToPath2 } from "node:url";
L88: import { spawn, spawnSync } from "node:child_process";
L89:
High
1202L1203: // node_modules/@bomb.sh/tab/dist/powershell-CHePOaos.mjs
L1204: function t(t3, n3) {
High
4431const source = skill.id === "jolly" ? bundledJollySkillPath() : skill.ref;
L4432: const result = spawnSync(
L4433: "npx",
...
L4440: const path = join2(projectDir(), ".mcp.json");
L4441: const endpoint = loadEnvValues(projectDir())["NEXT_PUBLIC_SALEOR_API_URL"] ?? process.env["NEXT_PUBLIC_SALEOR_API_URL"] ?? "https://your-store.saleor.cloud/graphql/";
L4442: const jollyEntry = {
High
Same File Env Network Execution
A single source file combines environment access, network access, and code or shell execution; review context before blocking.
dist/index.jsView on unpkg · L44314807description: "The store is reachable but no product is available for purchase in the `us` channel \u2014 add channel listings (with price + availability) so products can sell; chec...
L4808: command: "npx @saleor/configurator deploy --failOnDelete"
L4809: });
...
L4819: if (wants("storefront")) {
L4820: const pnpmProbe = spawnSync("pnpm", ["--version"], { encoding: "utf8" });
L4821: const globalPnpm = !pnpmProbe.error && pnpmProbe.status === 0;
High
Runtime Package Install
Package source invokes a package manager install command at runtime.
dist/index.jsView on unpkg · L4807Findings
4 High3 Medium6 Low
HighChild Processdist/index.js
HighShelldist/index.js
HighSame File Env Network Executiondist/index.js
HighRuntime Package Installdist/index.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License