Static Scan Results
scanned 7h ago · by rust-scannerStatic analysis flagged 13 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
One or more suspicious static signals were detected.
Decision evidence
public snapshotBehavioral surface
ChildProcessEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
NoLicense
Source & flagged code
4 flagged · loading sourcedist/index.jsView file
87import { fileURLToPath as fileURLToPath2 } from "node:url";
L88: import { spawn, spawnSync } from "node:child_process";
L89:
High
1276L1277: // node_modules/@bomb.sh/tab/dist/powershell-CHePOaos.mjs
L1278: function t(t3, n3) {
High
4629return new Promise((resolve) => {
L4630: const child = spawn(
L4631: "npx",
...
L4639: const path = join2(projectDir(), ".mcp.json");
L4640: const endpoint = loadEnvValues(projectDir())["NEXT_PUBLIC_SALEOR_API_URL"] ?? process.env["NEXT_PUBLIC_SALEOR_API_URL"] ?? "https://your-store.saleor.cloud/graphql/";
L4641: const jollyEntry = {
High
Same File Env Network Execution
A single source file combines environment access, network access, and code or shell execution; review context before blocking.
dist/index.jsView on unpkg · L46295029description: "The store is reachable but no product is available for purchase in the `us` channel \u2014 add channel listings (with price + availability) so products can sell; chec...
L5030: command: "npx @saleor/configurator deploy --failOnDelete"
L5031: });
...
L5041: if (wants("storefront")) {
L5042: const pnpmProbe = spawnSync("pnpm", ["--version"], { encoding: "utf8" });
L5043: const globalPnpm = !pnpmProbe.error && pnpmProbe.status === 0;
High
Runtime Package Install
Package source invokes a package manager install command at runtime.
dist/index.jsView on unpkg · L5029Findings
4 High3 Medium6 Low
HighChild Processdist/index.js
HighShelldist/index.js
HighSame File Env Network Executiondist/index.js
HighRuntime Package Installdist/index.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License