Static Scan Results
scanned 4d ago · by rust-scannerStatic analysis flagged 11 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
One or more suspicious static signals were detected.
Decision evidence
public snapshotBehavioral surface
ChildProcessEnvironmentVarsFilesystemShell
HighEntropyStringsUrlStrings
NoLicense
Source & flagged code
4 flagged · loading sourcedist/git.jsView file
1import { spawnSync } from 'child_process';
L2: import { existsSync, readFileSync, writeFileSync } from 'fs';
High
455* fast-forwarded; a failed install is a fixable follow-up, not a reason to strand the draft).
L456: * `shell: true` is required so Windows can invoke `npm.cmd` — Node 20+ refuses to spawn a `.cmd`
L457: * directly (EINVAL) without a shell. The args are fixed (no user input), so the DEP0190 shell-arg
High
dist/providers/fly.jsView file
1import { spawnSync } from 'child_process';
L2: import { existsSync, readFileSync, readdirSync } from 'fs';
...
L13: function installHint() {
L14: const cmd = process.platform === 'win32'
L15: ? 'pwsh -Command "iwr https://fly.io/install.ps1 -useb | iex"'
L16: : 'curl -L https://fly.io/install.sh | sh';
...
L35: const ext = process.platform === 'win32' ? '.exe' : '';
L36: candidates.push(join(homedir(), '.fly', 'bin', `flyctl${ext}`));
L37: for (const bin of candidates) {
...
L48: }
L49: /** Run a Fly command quietly and capture stdout (for probes like whoami/status). */
L50: /** Docker `--build-arg` pairs stamping the image's identity (surfaced under Settings → Version):
High
Sandbox Evasion Gated Capability
Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.
dist/providers/fly.jsView on unpkg · L1dist/commands/new.jsView file
38console.log('Installing dependencies (flopod + TS types)...');
L39: execSync('npm install --prefer-offline --no-audit --no-fund', { cwd: dir, stdio: 'inherit' });
L40: // A project is its OWN local git repo — the source-control substrate
High
Runtime Package Install
Package source invokes a package manager install command at runtime.
dist/commands/new.jsView on unpkg · L38Findings
4 High2 Medium5 Low
HighChild Processdist/git.js
HighShelldist/git.js
HighSandbox Evasion Gated Capabilitydist/providers/fly.js
HighRuntime Package Installdist/commands/new.js
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License