Static Scan Results
scanned 3h ago · by rust-scannerStatic analysis flagged 7 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
One or more suspicious static signals were detected.
Decision evidence
public snapshotBehavioral surface
ChildProcessFilesystemShell
HighEntropyStringsUrlStrings
Source & flagged code
2 flagged · loading sourcedist/index.jsView file
6import { fileURLToPath } from 'url';
L7: import { execSync, spawn } from 'child_process';
L8: const __dirname = dirname(fileURLToPath(import.meta.url));
L9: const TEMPLATES = ['react', 'vue', 'svelte', 'solid', 'preact', 'vanilla'];
...
L35: name = interactive
L36: ? asString(await p.text({
L37: message: 'Project name',
...
L94: await replaceInDir(targetDir, '{{PM}}', pm);
L95: const packageMetadata = JSON.parse(await readFile(join(__dirname, '..', 'package.json'), 'utf-8'));
L96: await replaceInDir(targetDir, '{{DOTCARBON_VERSION}}', packageMetadata.version);
...
L152: const proc = spawn('dotnet', ['tool', 'install', '--global', 'DotCarbon.Cli'], {
L153: stdio: 'ignore', shell: process.platform === 'win32',
High
Sandbox Evasion Gated Capability
Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.
dist/index.jsView on unpkg · L6dist/shared/icons/icon.icnsView file
•path = dist/shared/icons/icon.icns
kind = high_entropy_blob
sizeBytes = 1812779
magicHex = [redacted]
High
Ships High Entropy Blob
Package ships high-entropy non-source blobs.
dist/shared/icons/icon.icnsView on unpkgFindings
2 High1 Medium4 Low
HighSandbox Evasion Gated Capabilitydist/index.js
HighShips High Entropy Blobdist/shared/icons/icon.icns
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings