Static Scan Results
scanned 6h ago · by rust-scannerStatic analysis flagged 10 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
One or more suspicious static signals were detected.
Decision evidence
public snapshotBehavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShellWebSocket
HighEntropyStringsUrlStrings
Source & flagged code
2 flagged · loading sourcedist/core/base-tmux-launcher.jsView file
1import { spawn, execFileSync } from 'node:child_process';
L2: import { createHash } from 'node:crypto';
...
L263: let out = '';
L264: ls.stdout.on('data', (d) => { out += d.toString(); });
L265: ls.on('exit', () => {
...
L762: env: {
L763: ...process.env,
L764: ...this.getAgentEnv(),
Low
Weak Crypto
Package source references weak cryptographic algorithms.
dist/core/base-tmux-launcher.jsView on unpkg · L1dist/core/auto-updater.jsView file
1import { execFile, execFileSync, spawn } from 'node:child_process';
L2: import { promisify } from 'node:util';
...
L185: registryUrl() {
L186: const def = 'https://registry.npmjs.org';
L187: const configured = this.config.npm[redacted];
...
L217: return null;
L218: const json = (await res.json());
L219: return json.dist?.integrity ?? null;
...
L270: // malicious. Bin-linking still happens (it's core npm, not a script).
L271: const { stdout } = await execFileAsync('npm', ['install', '-g', spec, '--ignore-scripts', '--no-fund', '--no-audit'], { timeout: 300_000, maxBuffer: 16 * 1024 * 1024 });
L272: const tail = stdout.trim().split('\n').slice(-1)[0] ?? '';
...
L303: scheduleRestart() {
High
Sandbox Evasion Gated Capability
Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.
dist/core/auto-updater.jsView on unpkg · L1Findings
1 High3 Medium6 Low
HighSandbox Evasion Gated Capabilitydist/core/auto-updater.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowWeak Cryptodist/core/base-tmux-launcher.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings