Static Scan Results
scanned 2h ago · by rust-scannerStatic analysis flagged 11 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
One or more suspicious static signals were detected.
Decision evidence
public snapshotBehavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsMinifiedUrlStrings
Source & flagged code
2 flagged · loading sourcesrc/tools/scaffold.jsView file
132try {
L133: const { execSync } = await import("child_process")
L134: execSync("npm install", { cwd: directory, stdio: "pipe", timeout: 60000 })
High
Child Process
Package source references child process execution.
src/tools/scaffold.jsView on unpkg · L132src/auto-update.jsView file
4* On every startup, checks the npm registry for a newer version. If found, performs
L5: * the appropriate update (clear npx cache or `npm install -g`) and exits with
L6: * code 0 so the host (Cursor / Claude / Trae / VSCode) re-spawns the process
...
L15: import { homedir, tmpdir } from "node:os";
L16: import { execSync } from "node:child_process";
L17:
High
Runtime Package Install
Package source invokes a package manager install command at runtime.
src/auto-update.jsView on unpkg · L4Findings
3 High3 Medium5 Low
HighChild Processsrc/tools/scaffold.js
HighShell
HighRuntime Package Installsrc/auto-update.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings