Static Scan Results
scanned 1h ago · by rust-scannerStatic analysis flagged 11 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
One or more suspicious static signals were detected.
Decision evidence
public snapshotBehavioral surface
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemShell
HighEntropyStringsUrlStrings
Source & flagged code
4 flagged · loading sourcedist/index.jsView file
16import fs from "fs";
L17: import { execSync } from "child_process";
L18: import pc from "picocolors";
High
377step("Generate Encryption Key");
L378: const crypto2 = await import("crypto");
L379: const encryptionKey = crypto2.randomBytes(32).toString("base64");
Medium
Dynamic Require
Package source references dynamic require/import behavior.
dist/index.jsView on unpkg · L377dist/chunk-L2HA4GCW.jsView file
686package = @flowlib/cli; repositoryIdentity = flowlib; dependency = @flowlib/db
L686: try {
L687: const db = await import("@flowlib/db");
L688: coreSchema = db.CORE_SCHEMA;
High
Copied Package Dependency Bridge
Package metadata claims a different repository identity while copied source loads a runtime dependency bridge.
dist/chunk-L2HA4GCW.jsView on unpkg · L686809const configFile = findDrizzleConfig();
L810: const cmd = configFile ? `npx drizzle-kit generate --config ${configFile}` : "npx drizzle-kit generate";
L811: execSync(cmd, {
L812: stdio: ["pipe", "inherit", "inherit"],
High
Runtime Package Install
Package source invokes a package manager install command at runtime.
dist/chunk-L2HA4GCW.jsView on unpkg · L809Findings
4 High3 Medium4 Low
HighChild Processdist/index.js
HighShell
HighCopied Package Dependency Bridgedist/chunk-L2HA4GCW.js
HighRuntime Package Installdist/chunk-L2HA4GCW.js
MediumDynamic Requiredist/index.js
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings